• Chinese Volt Typhoon hit US critical infrastructure sectors

    Home » Forums » Cyber Security Information and Advisories » Cyber Security for Business users » Chinese Volt Typhoon hit US critical infrastructure sectors

    Author
    Topic
    #2561759

    https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

    People’s Republic of China State-Sponsored Cyber
    Actor Living off the Land to Evade Detection

    Summary

    The United States and international cybersecurity authorities are issuing this joint
    Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of
    interest associated with a People’s Republic of China (PRC) state-sponsored cyber
    actor, also known as Volt Typhoon. Private sector partners have identified that this
    activity affects networks across U.S. critical infrastructure sectors, and the authoring
    agencies believe the actor could apply the same techniques against these and other
    sectors worldwide.

    https://www.ghacks.net/2023/05/25/china-hacked-us-microsoft/

    ..How did that happen?

    An undisclosed vulnerability within the widely used cybersecurity suite, FortiGuard, has become the hackers’ favored entry point. Microsoft’s revelation underscores the urgent need for immediate action, as these infiltrators exploit compromised systems to gain unauthorized access to interconnected networks.

    Once inside, the hackers quietly obtain user credentials from the compromised security suite, facilitating their covert access to other corporate systems. It is crucial to note that the hackers’ primary objective is not immediate disruption but long-term espionage. Their intent is to remain undetected, allowing them to gather sensitive information clandestinely…

    3 users thanked author for this post.
    Viewing 2 reply threads
    Author
    Replies
    • #2561760

      You may add the various NCSC organisations from NATO countries as well. This Living Of The Land attacks are becoming more and more a serious threat. From supplychains to National Critical Infrastructures. Afterall there is a war going on, in case one didn’t notice.
      It will be useful to give this serious thoughts and advices, instead of saying there is so little chance to be infected etc…

      * _ the metaverse is poisonous _ *
      3 users thanked author for this post.
    • #2561762

      ..Mitigation and protection guidance

      Mitigating risk from adversaries like Volt Typhoon that rely on valid accounts and living-off-the-land binaries (LOLBins) is particularly challenging. Detecting activity that uses normal sign-in channels and system binaries requires behavioral monitoring. Remediation requires closing or changing credentials for compromised accounts.

      What to do now if you’re affected

      Close or change credentials for all compromised accounts. Depending on the level of collection activity, many accounts may be affected. Identify LSASS dumping and domain controller installation media creation to identify affected accounts.
      Examine the activity of compromised accounts for any malicious actions or exposed data.

      Defending against this campaign

      Mitigate the risk of compromised valid accounts by enforcing strong multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in, password expiration rules, and deactivating unused accounts can also help mitigate risk from this access method.
      Reduce the attack surface. Microsoft customers can turn on the following attack surface reduction rules to block or audit some observed activity associated with this threat:
      Block credential stealing from the Windows local security authority subsystem (lsass.exe).Block process creations originating from PSExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.
      Block execution of potentially obfuscated scripts….

    • #2562024

      This seems like a psyop.  America has the best hackers in the world.  How much of the chinese infrastructure is compromised?  Probably all of it.  Everyone spies on everyone and I am sure this technique is used by many other than the ccp.  Probably a lot of fraudsters using it too that might be a bigger risk to ordinary American end users imo.

    Viewing 2 reply threads
    Reply To: Chinese Volt Typhoon hit US critical infrastructure sectors

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: