Volt Typhoon attacks attributed to China

By

Five Eyes cyber agencies point the finger.

Five Eyes cyber security agencies have gone public with technical details of the attacks used by the Volt Typhoon cyber actor, and have attributed its activities to the Chinese government.

Volt Typhoon attacks attributed to China

The United States National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI), issued the advisory jointly with cyber security agencies from Australia, Cabnada, New Zealand and the UK.

Microsoft has separately outlined a recent Volt Typhoon attack on communications infrastructure in Guam, and in a separate publication said the group has been active since 2021.

The security agencies published a [detailed technical paper [pdf] on Volt Typhoon, which states that the attackers rely as much as possible on built-in Windows utility, an attack technique dubbed “living off the land”.

Using tools like tools wmic, ntdsutil, netsh, and PowerShell “allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations," the technical paper stated.

Volt Typhoon uses compromised SOHO [small office/home office] routers as intermediate infrastructure, which allows them to maintain their command and control traffic emanate from local ISPs.

“The actor has used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks [T1090] to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to: cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe," the paper stated.

In a statement announcing the publication, the NSA said that defenders "should also monitor logs for Event ID 1102, which is generated when the audit log is cleared."

The attackers are known to exploit CVE-2021-40539 and CVE-2021-27860.

CVE-2021-40539 is an authentication bypass in Zoho’s ManageEngine, and was exploited last year to breach the International Red Cross.

CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

BoM's seven-year technology transformation cost $866m

BoM's seven-year technology transformation cost $866m

Medibank allegedly missed EDR alerts before data breach

Medibank allegedly missed EDR alerts before data breach

ANZ joins NAB and CBA on ConnectID

ANZ joins NAB and CBA on ConnectID

James Cook University accelerates digital roadmap and cyber uplift

James Cook University accelerates digital roadmap and cyber uplift

Log In

  |  Forgot your password?