Volt Typhoon on the rise due to “living-off-the-land” attacks

U.S. and international cybersecurity authorities jointly issued a cybersecurity advisory on May 24 to warn on a group of actors known as Volt Typhoon that appears to be backed by the state of the People’s Republic of China.

In a separate statement, Microsoft explained that Volt Typhoon is believed to have been active since mid-2021, and is notably known to have targeted critical infrastructure in the USA, its objectives generally being espionage and information gathering.

The director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, also raises the possibility of similar attacks taking place around the world.

One of this threat actor’s key tactics, techniques and procedures (TTPs) is “living off the land”, using integrated network administration tools to achieve its goals. The group relies on legitimate binaries natively present on compromised machines, using for example tools integrated into operating systems (e.g. wmic, ntdsutil, netsh and PowerShell). This approach enables the actor to blend in with traffic qualified as legitimate, and bypass the defense mechanisms in place.

Detection : 

According to published reports, very few hacking activities pass through the network. Moreover, the use of common administration tools makes detection relatively complex. However, certain signals remain detectable.

Firstly, based on the various publicly available IOCs, the hash 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71 has been present in the LIS – Last Info Sec database since January 2019, as it has also appeared in previous campaigns.

Some of the tools used by this actor are subject to specific detection.

  • For example, the Earthworm tool is detected by the following Sigflow rules;
    • ET TROJAN [AV] EarthWorm/Termite IoT Agent Reporting Infection (sid: 202706)
    • ET TROJAN EarthWorm/Termite IoT Agent CnC Response (sid: 2027065)
  • The Awen webshell is mentioned in some reports for which the following rule exists:
    • ET TROJAN CMDASP Webshell Default Title in HTTP Response (sid: 2045284)
  • Or the Mimikatz tool, which can be detected by the Malcore engine in transit on the network.

As is often the case with this type of attack, there are also certain weak signals, such as the use of IP resolution services (here ip-api.com covered by sid 2022082).

Finally, the vulnerabilities exploited include :

  • CVE-2021-40539 (ManageEngine ADSelfService Plus) : covered by les SID 2034362 to 2034365 
  • Vulnerability FatPipe : covered by sid 2034530 and 2034531

Mitigation measures :

Mitigating the risks associated with adversaries such as Volt Typhoon, relying on valid accounts and “living-off-the-land” binaries (LOLBins), is particularly difficult since there is no single measure that guarantees immunity to this type of attack. However, below are a number of security measures which, when combined, can help prevent and detect this type of attack:

  • Reinforce and monitor events recorded in Windows logs : 
    • Log WMI events (Event IDs 5857, 4656, 4663, 4658 and 4662) and PowerShell events (Event ID 4103)
    • Log events relating to the creation of a new process (Event ID 4688), so that you can supervise the call to ntdsutil.exe or the creation of any similar process
    • Log events relating to the deletion of the audit log (Event ID 1102).
  • Hardening and monitoring domain controllers
  • Limit and monitor port forwarding usage
  • Check firewall configuration to identify configuration errors on outgoing flows
  • Ensure log centralization and integrity

Volt Typhoon TTPs :

By analyzing the various reports, we were able to create the following matrix corresponding to the attacker’s TTPS (Technique, Tactics and Procedures) – See picture 1 below.

We have also created a linear representation (See pictures 2 and 3 below).

Author : Purple Team Gatewatcher

Ressources :