This week, international cybersecurity authorities issued a Cybersecurity Advisory (CSA) for malicious activity detected from Volt Typhoon, a People’s Republic of China (PRC) state-sponsored cyber actor that impacts networks across U.S. critical infrastructure sectors.
The bad actors use techniques known as “Living off the Land” avoid endpoint detection and response (EDR) by obfuscating malicious commands with normal administration activities to appear benign. Attacks were detected that utilize system resources that do not log events in Windows by default and actors have cleared logs for resources that do with the intention of exfiltrating the Active Directory database file “ntds.dit.” Once access is gained, a variety of papassword-cracking techniques can be used to compromise accounts, gain privilege escalation, and compromise the environment. The use of Windows administration commands by the actors makes detection of their actions difficult and forces defenders to search through many benign commands that are “white noise.”
SIEM logging solutions are helpful to identify any indication of compromise. Logs cleared by the actors will still be retained if they are immediately exported to a central logging system. Logging for the Window resource “ntdutil.exe” should be enabled for this solution to detect the attacks. In addition, logging for “audit process creation” and “include command line in process creation events” should be enabled. Network perimeter devices, such as firewalls or other edge devices, are used in these attacks and should have external administration access limited to only trusted hosts. In addition, firewall logs can be reviewed for changes and exported to the central logging system if configured.
While there is no current evidence that the actor has targeted specific organizations or sectors, there is a threat of attacks being used against other sectors. Innovative Computing Systems encourages all to be vigilant, keep up to date on new cyber incidents and maintain ongoing awareness for their protection and the protection of others. For a complete list of mitigations and indications of compromise (IoCs) please reference the CSA released by the cybersecurity authorities on the CISA website.