• Chinese Volt Typhoon hit US critical infrastructure sectors

    Home » Forums » Cyber Security Information and Advisories » Cyber Security for Business users » Chinese Volt Typhoon hit US critical infrastructure sectors

    Author
    Topic
    Alex5723
    AskWoody Plus
    May 25, 2023 at 3:57 am #2561759
    Options

    https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

    People’s Republic of China State-Sponsored Cyber
    Actor Living off the Land to Evade Detection

    Summary

    The United States and international cybersecurity authorities are issuing this joint
    Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of
    interest associated with a People’s Republic of China (PRC) state-sponsored cyber
    actor, also known as Volt Typhoon. Private sector partners have identified that this
    activity affects networks across U.S. critical infrastructure sectors, and the authoring
    agencies believe the actor could apply the same techniques against these and other
    sectors worldwide.

    https://www.ghacks.net/2023/05/25/china-hacked-us-microsoft/

    ..How did that happen?

    An undisclosed vulnerability within the widely used cybersecurity suite, FortiGuard, has become the hackers’ favored entry point. Microsoft’s revelation underscores the urgent need for immediate action, as these infiltrators exploit compromised systems to gain unauthorized access to interconnected networks.

    Once inside, the hackers quietly obtain user credentials from the compromised security suite, facilitating their covert access to other corporate systems. It is crucial to note that the hackers’ primary objective is not immediate disruption but long-term espionage. Their intent is to remain undetected, allowing them to gather sensitive information clandestinely…

    3 users thanked author for this post.
    CADesertRat, Cybertooth, Fred
    Reply | Quote
    Viewing 2 reply threads
    Author
    Replies
    • Fred
      AskWoody Plus
      May 25, 2023 at 4:10 am #2561760
      Options

      You may add the various NCSC organisations from NATO countries as well. This Living Of The Land attacks are becoming more and more a serious threat. From supplychains to National Critical Infrastructures. Afterall there is a war going on, in case one didn’t notice.
      It will be useful to give this serious thoughts and advices, instead of saying there is so little chance to be infected etc…

      * _ the metaverse is poisonous _ *
      3 users thanked author for this post.
      CADesertRat, Cybertooth, Alex5723
      Reply | Quote
    • Alex5723
      AskWoody Plus
      May 25, 2023 at 4:27 am #2561762
      Options

      ..Mitigation and protection guidance

      Mitigating risk from adversaries like Volt Typhoon that rely on valid accounts and living-off-the-land binaries (LOLBins) is particularly challenging. Detecting activity that uses normal sign-in channels and system binaries requires behavioral monitoring. Remediation requires closing or changing credentials for compromised accounts.

      What to do now if you’re affected

      Close or change credentials for all compromised accounts. Depending on the level of collection activity, many accounts may be affected. Identify LSASS dumping and domain controller installation media creation to identify affected accounts.
      Examine the activity of compromised accounts for any malicious actions or exposed data.

      Defending against this campaign

      Mitigate the risk of compromised valid accounts by enforcing strong multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in, password expiration rules, and deactivating unused accounts can also help mitigate risk from this access method.
      Reduce the attack surface. Microsoft customers can turn on the following attack surface reduction rules to block or audit some observed activity associated with this threat:
      Block credential stealing from the Windows local security authority subsystem (lsass.exe).Block process creations originating from PSExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.
      Block execution of potentially obfuscated scripts….

      Reply | Quote
    • duh
      Guest
      May 26, 2023 at 9:00 pm #2562024
      Options

      This seems like a psyop.  America has the best hackers in the world.  How much of the chinese infrastructure is compromised?  Probably all of it.  Everyone spies on everyone and I am sure this technique is used by many other than the ccp.  Probably a lot of fraudsters using it too that might be a bigger risk to ordinary American end users imo.

      Reply | Quote
    Viewing 2 reply threads
    Reply To: Chinese Volt Typhoon hit US critical infrastructure sectors

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • How to use the Forums
  • All Forums

    • Recent Topics

    June 2023
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    252627282930  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.