Business
Focused
Technology

Threats and Infrastructure

From Arctic Wolf

SUMMARY

On February 7, 2024, CISA issued an advisory detailing their discoveries concerning state-sponsored cyber actors linked to the People’s Republic of China (PRC). Notably, the PRC-affiliated threat actor, Volt Typhoon, is actively engaged in efforts to infiltrate IT networks, with the potential aim of launching cyberattacks on vital U.S. infrastructure in the event of a substantial crisis or conflict with the United States. The targets chosen by Volt Typhoon and their behavioral patterns do not align with their typical cyber espionage or intelligence gathering operations.

Volt Typhoon affiliates were observed targeting the IT systems of critical infrastructure organizations in the United States, particularly in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors. This also includes organizations located in both the contiguous and non-contiguous regions of the United States, such as territories like Guam. Other affected entities include smaller organizations with constrained cybersecurity resources that provide critical services to larger organizations or key geographic locations.

CISA also noted that while a threat to Canada’s Critical Infrastructure is likely lower, there is potential for this activity to impact Canada due to cross-border integration. Furthermore, Australia and New Zealand are identified as potentially vulnerable to similar activities.

VOLT TYPHOON OBSERVED ATTACK CHAIN

CISA and the agencies authoring the advisory detailed how Volt Typhoon conducts attacks. Volt Typhoon begins with conducting extensive reconnaissance to gather intelligence on the target’s network architecture, security measures, and personnel. Using known or zero-day vulnerabilities, they gain initial access and exploit privilege escalation to obtain administrator credentials. 

Leveraging these credentials, they move laterally through the network, conducting discovery while minimizing detection. They eventually gain full domain compromise, achieved by extracting the Active Directory database using techniques like Volume Shadow Copy Service (VSS). Offline password cracking allows them to decipher hashed passwords, gaining elevated access for strategic infiltration. Their focus lies in accessing Operational Technology (OT) assets, such as machines, sensors, and control systems. They persist in testing access to domain resources to advance their objectives. 

RECOMMENDATIONS

Recommendation #1: Prioritize Product Patching

Volt Typhoon has been observed to target Fortinet, Ivanti, NETGEAR, Citrix, and Cisco Devices for initial access. There have been several critical vulnerabilities exploited in these products by threat actors historically, as indicated by CISA’s Known Exploited Vulnerabilities Catalog. Ensure that these products in your environment are updated with the latest patches, such as the recent patches released for Ivanti products, which were observed to be exploited by other Chinese affiliated threat actors earlier in January. 

You can also reference our recent security bulletins, which Arctic Wolf issued to address vulnerabilities found in products that Volt Typhoon has targeted in the past. 

Recommendation #2: Implement Phishing-Resistant MFA

Arctic Wolf strongly recommends enabling MFA for all accounts to protect against brute force attacks and compromised accounts being purchased by threat actors on the dark web and used for initial access in ransomware cases. Please note that enabling MFA may have operational considerations in your environment. 

Recommendation #3: Implement Security Awareness Training

Due to the phishing techniques by the threat actors outlined in this bulletin, Arctic Wolf recommends using security awareness training campaigns so that users are better able to recognize and report suspicious activities associated with sophisticated phishing campaigns.

REFERENCES

Partner, Law Firm

We hired IT360 as our computer hardware and software computer consultants when the company first went into business. Since then, they have helped us purchase new software and hardware equipment that we have instituted into the law firm. Any time we needed them to be there they have been. They have solved all of our problems including: stand alone computers, networking issues, Internet access issues, and software. I would highly recommend IT360 to anybody who needs help in these areas.

Partner, Law Firm

Recent
Technology News

IT 360 News
Threats and Infrastructure

From Arctic Wolf SUMMARY On February 7, 2024, CISA issued an advisory detailing their discoveries concerning state-sponsored cyber actors linked to the People’s Republic of China (PRC). Notably, the PRC-affiliated threat actor, Volt Typhoon, is actively engaged in efforts to infiltrate IT networks, with the potential aim of launching cyberattacks on vital U.S. infrastructure in […]

Read more
IT 360 News
Multi-Factor Authentication

By Cybersecurity & Infrastructure Security Agency OVERVIEW Multi-factor authentication (MFA) is a layered approach to securing physical and logical access where a system requires a user to present a combination of two or more different authenticators to verify a user’s identity for login. MFA increases security because even if one authenticator becomes compromised, unauthorized users […]

Read more