A large-scale persistent attack (APT) carried out by the Chinese hacker group Volt Typhoon has just been reported by the US government in conjunction with several private cybersecurity entities. It has targeted critical US infrastructures and appears to have been infiltrated since 2021.
Volt Typhoon: the context of the attack
On May 24, 2023, the NSA published an analysis of a Chinese APT targeting critical US infrastructure in the communications, transportation, construction, marine and education sectors. An attack attributed to the Volt Typhoon group. This is not the first time this group has been involved, as it is also known as Bronze Silhouette, by SecureWork.
This document describes an attack whose main objective is to spy on and exfiltrate data by the most discreet means possible.
The information-gathering process makes extensive use of LOLBin, with the aim of bypassing the execution restrictions potentially in effect on workstations and minimizing the triggering of security alerts.
To exfiltrate data to its C&C, the group used relays created following the prior compromise of SoHo (Small Office / Home Office) equipment, notably routers, firewalls or VPNs of various brands and ranges (ASUS, Cisco RV, Draytek Vigor, D-Link, FatPipe IPVPN / MPVPN / WARP, Netgear Prosafe, or Zyxel USG). This principle enables communications to be masked as far as possible.
Initial vector of the Volt Typhoon attack
The initial access to this attack was carried out on Fortinet Fortigate devices, which then enabled the malicious actors to collect authentication data from the AD to which they were attached. They then attempted to use this login information on other network devices.
No information is given concerning the vulnerabilities exploited on Fortigate devices or on the network devices used as communication relays to the control server.
Technical details of the Volt Typhoon attack
Once network access had been obtained, the Volt Typhoon / Bronze Silhouette malicious actor then heavily exploited the famous LOLBins to circumvent workstation execution restriction policies and maximize stealth.
In particular, the following binaries/commands are used (non-exhaustive list):
- wmic process call create [...]
- netsh interface portproxy [...]
- netsh interface firewall [...]
- net group [...]
- net localgroup [...]
- dnscmd /enumrecords
- ipconfig
- Get-EventLog security -instanceid 4624
- reg query
- reg save
- certutil
- makecab
- etc.
Volt Typhoon cyberattack and Stormshield protections
Stormshield Network Security
The following IPS signature detects the exploitation of the ManageEngine vulnerability CVE-2021-40539 used by the Volt Typhoon / Bronze Silhouette malicious actor :
- http:79 -> Directory self-reference against the vulnerability CVE-2021-40539
Confidence index of the protection offered by Stormshield |
Confidence index of no false positives |
Another signature is used to block a recognition attempt by the group. SSL decryption is required beforehand.
- http:client:header:useragent.110 -> Threat actor recon activity
Confidence index of the protection offered by Stormshield |
Confidence index of no false positives |
The IPs used by the control servers of Bronze Silhouette, which is most likely Volt Typhoon, have been added to the reputation engine in the "malware" category.
Finally, samples of the binaries involved in the attack are detected by the Breach Fighter detonation solution.
Stormshield Endpoint Security Evolution
The following rulesets of the default policy in version 2304a or 2211b are already capable of detecting many of the process executions employed during the attack by the malicious actor:
- Stormshield - Protection baseline
- Stormshield - Data leak prevention
- Stormshield - Protection against malicious usage of LOLBIN
- Stormshield – Block-list of known dangerous applications
- Stormshield - Advanced protections
It is therefore important to confirm that these rulesets are active and in their most recent version in the policies applied on the endpoint agents.
Confidence index of the protection offered by Stormshield |
Confidence index of no false positives |
A YARA analysis unit named "APT - Volt Typhoon" is also now available on the SES update server to search for traces of the attack.
Confidence index of the protection offered by Stormshield |
Confidence index of no false positives |
Recommendations
It is strongly recommended to monitor the execution of the commands used in the attack, and to limit the use of port proxies as much as possible.
Volt Typhoon attack & IOC
Volt Typhoon IOCs: find here some data around the attack.
Hashes
SHA256 : f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
SHA256 : ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
SHA256 : d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
SHA256 : 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
SHA256 : 66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7
SHA256 : 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
SHA256 : 41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597
SHA256 : c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99
SHA256 : 3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f
SHA256 : fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15
SHA256 : ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484
IPs
104.161.54.203 : Volt Typhoon / Bronze Silhouette C&C
23.227.198.247 : Volt Typhoon / Bronze Silhouette C&C
109.166.39.139 : Volt Typhoon / Bronze Silhouette C&C
User agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0