On February 7, 2024, CISA issued an advisory detailing their discoveries concerning state-sponsored cyber actors linked to the People’s Republic of China (PRC). Notably, the PRC-affiliated threat actor, Volt Typhoon, is actively engaged in efforts to infiltrate IT networks, with the potential aim of launching cyber attacks on vital U.S. infrastructure in the event of a substantial crisis or conflict with the United States. The targets chosen by Volt Typhoon and their behavioral patterns do not align with their typical cyber espionage or intelligence gathering operations.
Volt Typhoon affiliates were observed targeting the IT systems of critical infrastructure organizations in the United States, particularly in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors. This also includes organizations located in both the contiguous and non-contiguous regions of the United States, such as territories like Guam. Other affected entities include smaller organizations with constrained cybersecurity resources that provide critical services to larger organizations or key geographic locations.
CISA also noted that while a threat to Canada’s Critical Infrastructure is likely lower, there is potential for this activity to impact Canada due to cross-border integration. Furthermore, Australia and New Zealand are identified as potentially vulnerable to similar activities.
Volt Typhoon Observed Attack Chain
CISA and the agencies authoring the advisory detailed how Volt Typhoon conducts attacks. Volt Typhoon begins with conducting extensive reconnaissance to gather intelligence on the target’s network architecture, security measures, and personnel. Using known or zero-day vulnerabilities, they gain initial access and exploit privilege escalation to obtain administrator credentials.
Leveraging these credentials, they move laterally through the network, conducting discovery while minimizing detection. They eventually gain full domain compromise, achieved by extracting the Active Directory database using techniques like Volume Shadow Copy Service (VSS). Offline password cracking allows them to decipher hashed passwords, gaining elevated access for strategic infiltration. Their focus lies in accessing Operational Technology (OT) assets, such as machines, sensors, and control systems. They persist in testing access to domain resources to advance their objectives.
Recommendations
Recommendation #1: Prioritize Product Patching
Volt Typhoon has been observed to target Fortinet, Ivanti, NETGEAR, Citrix, and Cisco Devices for initial access. There have been several critical vulnerabilities exploited in these products by threat actors historically, as indicated by CISA’s Known Exploited Vulnerabilities Catalog. Ensure that these products in your environment are updated with the latest patches, such as the recent patches released for Ivanti products, which were observed to be exploited by other Chinese affiliated threat actors earlier in January.
You can also reference our recent security bulletins, which Arctic Wolf issued to address vulnerabilities found in products that Volt Typhoon has targeted in the past.
- Ivanti (CVE-2024-21887 & CVE-2023-46805)
- Citrix (CVE-2023-6548 & CVE-2023-6549)
- Citrix (CVE-2023-4966 – Citrix Bleed)
- Cisco (CVE-2024-20272)
- Fortinet (CVE-2023-36553)
Recommendation #2: Implement Phishing-Resistant MFA
Arctic Wolf strongly recommends enabling MFA for all accounts to protect against brute force attacks and compromised accounts being purchased by threat actors on the dark web and used for initial access in ransomware cases.
Please note that enabling MFA may have operational considerations in your environment.
Recommendation #3: Implement Security Awareness Training
Due to the phishing techniques by the threat actors outlined in this bulletin, Arctic Wolf recommends using security awareness training campaigns so that users are better able to recognize and report suspicious activities associated with sophisticated phishing campaigns.
References
- CISA Advisory
- AW Blog (CVE-2024-21983)
- AW Blog (CVE-2023-6548 & CVE-2023-6549)
- AW Blog (Citrix Bleed)
- AW Blog (CVE-2024-20272)
- AW Blog (CVE-2023-36553)
- AW Blog (CVE-2024-21887 & CVE-2023-46805)
See other important security bulletins from Arctic Wolf.
