Microsoft has released its discovery of a new targeted malware attack focused on gaining unauthorized access to the critical infrastructure organizations in the United States. This cyber-attack, known as Volt Typhoon, is a state-sponsored operation based in China and has been active since mid-2021. Its primary targets include organizations in communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education sectors.
Unlike other malwares, Volt Typhoon is especially elusive due to its unique living-off-the-land (LOLbins) techniques. These techniques involve the use of system tools that come pre-installed with the operating system and are generally considered benign. As such, the malicious activity is more challenging to detect and mitigate as it appears to be part of routine network operations.
The attackers’ primary objective appears to be espionage and maintaining undetected access for as long as possible. They do this by using stolen valid credentials to maintain persistence and blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment.
Upon initial access, Volt Typhoon leverages privileges of compromised devices, extracts credentials to an Active Directory account, and attempts to authenticate other devices on the network. The threat actor also enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure by proxying through these devices.
Once Volt Typhoon gains access to a target environment, it begins conducting hands-on-keyboard activity via the command line to discover additional devices on the network and exfiltrate data. The malware also attempts to dump credentials from the LSASS process memory space and extract usernames and password hashes from domain controllers, allowing the threat actors to regain access to a compromised organization if they lose access.
Mitigating risks from adversaries like Volt Typhoon, which rely on valid accounts and LOLBins, is notably challenging. The use of behavioral monitoring is crucial to detect activity that uses normal sign-in channels and system binaries. Remediation then requires closing or changing credentials for compromised accounts.
Microsoft suggests enforcing strong multi-factor authentication (MFA) policies, reducing attack surfaces, hardening LSASS processes, and running endpoint detection and response (EDR) in block mode to protect against such stealthy attacks. They also provide detection details and hunting queries for potential indicators of compromise (IOCs) associated with Volt Typhoon in Microsoft Defender Antivirus and Microsoft Defender for Endpoint.
The discovery of Volt Typhoon underlines the importance of strong cybersecurity measures. Organizations must be vigilant in monitoring their network activity and implementing appropriate defenses to protect against such sophisticated attacks.
Read all the detail at Microsoft here.
