Vane3alga

Business
Focused
Technology

Threats and Infrastructure

IT360
IT360

From Arctic Wolf

SUMMARY

On February 7, 2024, CISA issued an advisory detailing their discoveries concerning state-sponsored cyber actors linked to the People’s Republic of China (PRC). Notably, the PRC-affiliated threat actor, Volt Typhoon, is actively engaged in efforts to infiltrate IT networks, with the potential aim of launching cyberattacks on vital U.S. infrastructure in the event of a substantial crisis or conflict with the United States. The targets chosen by Volt Typhoon and their behavioral patterns do not align with their typical cyber espionage or intelligence gathering operations.

Volt Typhoon affiliates were observed targeting the IT systems of critical infrastructure organizations in the United States, particularly in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors. This also includes organizations located in both the contiguous and non-contiguous regions of the United States, such as territories like Guam. Other affected entities include smaller organizations with constrained cybersecurity resources that provide critical services to larger organizations or key geographic locations.

CISA also noted that while a threat to Canada’s Critical Infrastructure is likely lower, there is potential for this activity to impact Canada due to cross-border integration. Furthermore, Australia and New Zealand are identified as potentially vulnerable to similar activities.

VOLT TYPHOON OBSERVED ATTACK CHAIN

CISA and the agencies authoring the advisory detailed how Volt Typhoon conducts attacks. Volt Typhoon begins with conducting extensive reconnaissance to gather intelligence on the target’s network architecture, security measures, and personnel. Using known or zero-day vulnerabilities, they gain initial access and exploit privilege escalation to obtain administrator credentials. 

Leveraging these credentials, they move laterally through the network, conducting discovery while minimizing detection. They eventually gain full domain compromise, achieved by extracting the Active Directory database using techniques like Volume Shadow Copy Service (VSS). Offline password cracking allows them to decipher hashed passwords, gaining elevated access for strategic infiltration. Their focus lies in accessing Operational Technology (OT) assets, such as machines, sensors, and control systems. They persist in testing access to domain resources to advance their objectives. 

RECOMMENDATIONS

Recommendation #1: Prioritize Product Patching

Volt Typhoon has been observed to target Fortinet, Ivanti, NETGEAR, Citrix, and Cisco Devices for initial access. There have been several critical vulnerabilities exploited in these products by threat actors historically, as indicated by CISA’s Known Exploited Vulnerabilities Catalog. Ensure that these products in your environment are updated with the latest patches, such as the recent patches released for Ivanti products, which were observed to be exploited by other Chinese affiliated threat actors earlier in January. 

You can also reference our recent security bulletins, which Arctic Wolf issued to address vulnerabilities found in products that Volt Typhoon has targeted in the past. 

Recommendation #2: Implement Phishing-Resistant MFA

Arctic Wolf strongly recommends enabling MFA for all accounts to protect against brute force attacks and compromised accounts being purchased by threat actors on the dark web and used for initial access in ransomware cases. Please note that enabling MFA may have operational considerations in your environment. 

Recommendation #3: Implement Security Awareness Training

Due to the phishing techniques by the threat actors outlined in this bulletin, Arctic Wolf recommends using security awareness training campaigns so that users are better able to recognize and report suspicious activities associated with sophisticated phishing campaigns.

REFERENCES

Success Stories

President, Transportation Company

Your technical support team has always been able to handle our needs quickly, efficiently, and patiently. We appreciate your timeliness and the hours you have saved us. It is great to know that we have people at IT360 capable to provide solutions to our problems.

President, Transportation Company

Recent
Technology News

IT 360 News - Holiday Preparation
Holiday Preparation

Staying Secure and productive As we head into November and December, businesses face a unique set of cybersecurity and operational challenges. The holiday season brings excitement and opportunity, but it also creates distractions that cybercriminals are eager to exploit. One of the biggest risks this time of year is the rise in phishing scams tied […]

Read more
IT 360 News - Cybersecurity Is A Business Risk
Cybersecurity Is A Business Risk

NOT JUST AN IT ISSUE October is Cybersecurity Awareness Month, and while you’ll see plenty of reminders about strong passwords, multi-factor authentication, and avoiding phishing scams, here’s the truth: cybersecurity is no longer just a technology issue—it’s a business risk that every owner and executive needs to own. Why Business Owners Need to Pay Attention […]

Read more