Volt Typhoon attacks attributed to China
Five Eyes cyber security agencies have gone public with technical details of the attacks used by the Volt Typhoon cyber actor, and have attributed its activities to the Chinese government.
The United States National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI), issued the advisory jointly with cyber security agencies from Australia, Cabnada, New Zealand and the UK.
Microsoft has separately outlined a recent Volt Typhoon attack on communications infrastructure in Guam, and in a separate publication said the group has been active since 2021.
The security agencies published a [detailed technical paper [pdf] on Volt Typhoon, which states that the attackers rely as much as possible on built-in Windows utility, an attack technique dubbed “living off the land”.
Using tools like tools wmic, ntdsutil, netsh, and PowerShell “allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations,” the technical paper stated.
Volt Typhoon uses compromised SOHO [small office/home office] routers as intermediate infrastructure, which allows them to maintain their command and control traffic emanate from local ISPs.
“The actor has used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks [T1090] to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to: cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe,” the paper stated.
In a statement announcing the publication, the NSA said that defenders “should also monitor logs for Event ID 1102, which is generated when the audit log is cleared.”
The attackers are known to exploit CVE-2021-40539 and CVE-2021-27860.
CVE-2021-40539 is an authentication bypass in Zoho’s ManageEngine, and was exploited last year to breach the International Red Cross.
CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software.