UNITED24 - Make a charitable donation in support of Ukraine!

Intelligence


Volt Typhoon

“Volt Typhoon” (or BRONZE SILHOUETTE) is the People’s Republic of China’s (PRC’s) state-sponsored cyber group focused on positioning itself inside the computer networks of critical infrastructure to cause destructive or disruptive cyber activity to the country when the PRC chooses. The most important thing to know about Volt Typhoon is their hacking techniques have permitted undetected intrusion. The PRC is interested in critical infrastructure that can disrupt our way of life, so it is not only focused on the financial sector but also the communications and power sectors, upon which other sectors are dependent.

The group’s infiltration was discovered in 2023, but it dates to at least 2021. The United States and international cybersecurity authorities issued a joint Cybersecurity Advisory (CSA) May 24, 2023 to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide. The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached “end of life” status; that is, they were no longer supported through their manufacturer’s security patches or other software updates.

This advisory from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) (hereafter referred to as the “authoring agencies”) provides an overview of hunting guidance and associated best practices to detect this activity.

One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations.

Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise.

According to the heads of the top federal agencies with responsibility for monitoring cyber threats against the U.S., a hacking technique known as “Living Off the Land” is being used to compromise critical networks by permitting undetected intrusions into critical systems. In this technique, hackers use privileged access credentials and pre-position themselves in networks until they are ready to attack. The widespread shift to “Living Off the Land” means both industry and regulators need to reassess their approaches to address IT security, particularly privileged access management.

The actor has leveraged compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity by having much of the command and control (C2) traffic emanate from local ISPs in the geographic area of the victim. Owners of SOHO devices should ensure that network management interfaces are not exposed to the Internet to avoid them being re-purposed as redirectors by malicious actors. If they must be exposed to the Internet, device owners and operators should ensure they follow zero trust principles and maintain the highest level of authentication and access controls possible.

The actor has used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks [T1090] to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to: cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe.

The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive from Windows domain controllers (DCs) out of the network to perform password cracking [T1003.003]. (The ntds.dit file is the main Active Directory (AD) database file and, by default, is stored at %SystemRoot%\NTDS\ntds.dit. This file contains information about users, groups, group memberships, and password hashes for all users in the domain; the SYSTEM registry hive contains the boot key that is used to encrypt information in the ntds.dit file.) Although the ntds.dit file is locked while in use by AD, a copy can be made by creating a Volume Shadow Copy and extracting the ntds.dit file from the Shadow Copy. The SYSTEM registry hive may also be obtained from the Shadow Copy.

There are several ways to execute Ntdsutil.exe, including running from an elevated command prompt (cmd.exe), using WMI/WMIC, or PowerShell. Defenders should look for the execution of Ntdsutil.exe commands using long, short, or a combination of the notations. For example, the long notation command activate instance ntds ifm can also be executed using the short notation ac i ntds i.

The actor has also saved the files directly to the C:\Windows\Temp and C:\Users\Public directories, so the entirety of those directory structures should be analyzed. Ntdsutil.exe creates two subfolders in the directory specified in the command: an Active Directory folder that contains the ntds.dit and ntds.jfm files, and a registry folder that contains the SYSTEM and SECURITY hives.

If an actor can exfiltrate the ntds.dit and SYSTEM registry hive, the entire domain should be considered compromised, as the actor will generally be able to crack the password hashes for domain user accounts, create their own accounts, and/or join unauthorized systems to the domain. If this occurs, defenders should follow guidance for removing malicious actors from victim networks, such as CISA's Eviction Guidance for Network Affected by the SolarWinds and Active Directory/M365 Compromise.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended four primary actions to mitigate Volt Typhoon activity, which can best be summarized as focusing on the fundamentals – patching, Multi-Factor Authentication (MFA), logging, and “End of Life” management. These are well-known controls that have been employed for years. However, the PRC is using weaknesses in implementation of these controls to gain access. For example, even though all bankers log network activity, the PRC is exploiting the short log retention periods and lack of logging of routine administrative activity. Chief Information Security Officers (CISOs) need to take a deeper look at not just logging activity but all aspects of privileged access management. Bankers should address these vulnerabilities immediately rather than waiting for an IT examination.

To help protect the industry against the rapidly moving exploitation by the PRC and similar criminal activity from other bad actors, the DFPI and other state regulators are evaluating options to help ensure that CISA’s recommendations are being implemented effectively.

As these recommendations will involve restricting compromises of privileged access, we must look beyond on-site users. We must look at how all these credentials are managed, especially access given to third parties such as Managed Service Providers (MSPs). MSPs often require full access and control of your network. So, an enhanced look at vendor management is needed.

Cyber threats evolve at internet speed, while IT examination cycles are based on a frequency developed long before the internet existed. The current threat is not theoretical. It is both real and urgent; therefore, financial institutions and regulators need to work together now to protect the financial sector. A December 2023 court-authorized operation has disrupted a botnet of hundreds of U.S.-based small office/home office (SOHO) routers hijacked by People’s Republic of China (PRC) state-sponsored hackers. The hackers, known to the private sector as “Volt Typhoon,” used privately-owned SOHO routers infected with the “KV Botnet” malware to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims.

As described in court documents, the government extensively tested the operation on the relevant Cisco and NetGear routers. The operation did not impact the legitimate functions of, or collect content information from, hacked routers. Additionally, the court-authorized steps to disconnect the routers from the KV Botnet and prevent reinfection are temporary in nature. A router’s owner can reverse these mitigation steps by restarting the router. However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection.

The FBI is providing notice of the court-authorized operation to all owners or operators of SOHO routers that were infected with the KV Botnet malware and remotely accessed pursuant to the operation. For those victims whose contact information was not publicly available, the FBI has contacted providers (such as a victim’s internet service provider) and has asked those providers to provide notice to the victims.



NEWSLETTER
Join the GlobalSecurity.org mailing list