Enterprotect

View Original

Global Cybersecurity Advisory Breakdown: The Threat of Volt Typhoon

Introduction

In the rapidly evolving landscape of cybersecurity, vigilance and proactive defense are paramount. As a leading cybersecurity company, Enterprotect is dedicated to providing the most up-to-date information and guidance to help businesses safeguard their digital assets. This advisory is based on a joint Cybersecurity Advisory issued by the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK).

The advisory discusses a recent cybersecurity threat associated with a state-sponsored cyber actor from the People's Republic of China, known as Volt Typhoon. This article provides a summary of the advisory, but we strongly recommend reading the full joint cybersecurity advisory for a comprehensive understanding of the threat and the recommended mitigation strategies.

What is the Threat?

Volt Typhoon is a state-sponsored cyber actor from the People's Republic of China. This actor has been associated with a cluster of cyber activities that pose a significant threat to businesses and organizations worldwide. The tactics employed by Volt Typhoon are noteworthy due to their stealthy nature. They use a strategy known as "living off the land," which involves using built-in network administration tools to perform their objectives. This approach allows them to evade detection, making their activities particularly insidious.

Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The actor also uses open source "hacktools" tools, such as: Fast Reverse Proxy (frp), Impacket, Mimikatz.exe, and Remote administration tools. Understanding these tools and how they can be used maliciously is a key part of our threat hunting efforts at Enterprotect.

Why is it Noteworthy?

The activities of Volt Typhoon are noteworthy due to several reasons. Firstly, the use of "living off the land" tactics demonstrates a high level of sophistication and understanding of network systems. By using built-in tools, the actor can blend in with legitimate activities, making detection more challenging. This is why our indicator of compromise (IOC) detection services are so crucial.

Secondly, the state-sponsored nature of this actor suggests a high level of resources and potential backing from a nation-state. This increases the potential scale and impact of their activities.

Finally, the activities of Volt Typhoon have been widespread, affecting numerous organizations across different sectors. This broad scope of activity highlights the potential risk to many businesses and underscores the need for effective cybersecurity measures, such as our layered security approach.

What is the Exposure or Risk?

The exposure or risk associated with Volt Typhoon's activities is significant. If undetected, their activities can lead to unauthorized access to sensitive information, disruption of business operations, financial loss, and potential damage to an organization's reputation. Our breach detection services are designed to identify these threats as early as possible.

The use of "living off the land" tactics can make it difficult for businesses to detect and respond to these threats. Traditional security measures may not be effective against this type of threat, as the actor uses legitimate tools and processes to carry outtheir activities. This is where our comprehensive cybersecurity platform comes into play, offering a range of solutions to protect your digital assets.

What are the Recommendations?

In light of the threat posed by Volt Typhoon, Enterprotect recommends several measures to enhance cybersecurity defenses:

  1. Network Monitoring: Regular monitoring of network activities can help detect unusual patterns that may indicate a threat. This includes keeping an eye on the use of built-in network administration tools.

  2. Cybersecurity Training: Employees should be trained to recognize potential cybersecurity threats and follow best practices for online safety. This includes being wary of phishing attempts and maintaining strong, unique passwords.

  3. Regular Updates: Keeping all systems, software, and devices updated can help protect against known vulnerabilities that could be exploited by cyber actors. Our vulnerability management services can assist in identifying and addressing these vulnerabilities.

  4. Incident Response Plan: Having a clear plan in place for responding to a cybersecurity incident can help minimize damage and recovery time. This includes identifying key personnel, outlining communication strategies, and establishing procedures for investigating and resolving the incident.

  5. Logging Recommendations: Defenders should set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events” in addition to accessing the logs. This will create Event ID 4688 entries in the Windows Security log to view command line processes. Defenders should also log WMI and PowerShell events. By default, WMI Tracing and deep PowerShell logging are not enabled, but they can be enabled by following the configuration instructions linked in the References section.

  6. Ensure Log Integrity and Availability: The actor takes measures to hide their tracks, such as clearing logs. To ensure log integrity and availability, defenders should forward log files to a hardened centralized logging server, preferably on a segmented network. Such an architecture makes it harder for an actor to cover their tracks as evidence of their actions will be captured in multiple locations. Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared. All Event ID 1102 entries should be investigated as logs are rarely cleared under normal circumstances. Our event log monitoring services can assist in this crucial task.

  7. Review Firewall Configurations: In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.

  8. Monitor Account Activity: Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).

References

This advisory is based on a joint Cybersecurity Advisory issued by the United States and international cybersecurity authorities. For more detailed information, please refer to the original document here.

At Enterprotect, we are committed to helping businesses navigate the complex landscape of cybersecurity. Our team of experts is always on hand to provide guidance, support, and solutions to help you protect your digital assets. For more information about our services, or to start a free trial, please visit our website.

Disclaimer: This advisory is provided "as is" for informational purposes only. Enterprotect does not provide warranties regarding this information or any actions taken based on the information provided.Always consult with a professional cybersecurity advisor for specific guidance tailored to your situation.

About Enterprotect: Enterprotect is a leading cybersecurity company dedicated to providing comprehensive security solutions for small to medium-sized businesses. Our passion is cybersecurity, and our mission is to simplify it for businesses, allowing them to focus on what they do best. Learn more about our cybersecurity solutions at Enterprotect.