Vane3alga

Business
Focused
Technology

From Arctic Wolf

SUMMARY

On February 7, 2024, CISA issued an advisory detailing their discoveries concerning state-sponsored cyber actors linked to the People’s Republic of China (PRC). Notably, the PRC-affiliated threat actor, Volt Typhoon, is actively engaged in efforts to infiltrate IT networks, with the potential aim of launching cyberattacks on vital U.S. infrastructure in the event of a substantial crisis or conflict with the United States. The targets chosen by Volt Typhoon and their behavioral patterns do not align with their typical cyber espionage or intelligence gathering operations.

Volt Typhoon affiliates were observed targeting the IT systems of critical infrastructure organizations in the United States, particularly in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors. This also includes organizations located in both the contiguous and non-contiguous regions of the United States, such as territories like Guam. Other affected entities include smaller organizations with constrained cybersecurity resources that provide critical services to larger organizations or key geographic locations.

CISA also noted that while a threat to Canada’s Critical Infrastructure is likely lower, there is potential for this activity to impact Canada due to cross-border integration. Furthermore, Australia and New Zealand are identified as potentially vulnerable to similar activities.

VOLT TYPHOON OBSERVED ATTACK CHAIN

CISA and the agencies authoring the advisory detailed how Volt Typhoon conducts attacks. Volt Typhoon begins with conducting extensive reconnaissance to gather intelligence on the target’s network architecture, security measures, and personnel. Using known or zero-day vulnerabilities, they gain initial access and exploit privilege escalation to obtain administrator credentials. 

Leveraging these credentials, they move laterally through the network, conducting discovery while minimizing detection. They eventually gain full domain compromise, achieved by extracting the Active Directory database using techniques like Volume Shadow Copy Service (VSS). Offline password cracking allows them to decipher hashed passwords, gaining elevated access for strategic infiltration. Their focus lies in accessing Operational Technology (OT) assets, such as machines, sensors, and control systems. They persist in testing access to domain resources to advance their objectives. 

RECOMMENDATIONS

Recommendation #1: Prioritize Product Patching

Volt Typhoon has been observed to target Fortinet, Ivanti, NETGEAR, Citrix, and Cisco Devices for initial access. There have been several critical vulnerabilities exploited in these products by threat actors historically, as indicated by CISA’s Known Exploited Vulnerabilities Catalog. Ensure that these products in your environment are updated with the latest patches, such as the recent patches released for Ivanti products, which were observed to be exploited by other Chinese affiliated threat actors earlier in January. 

You can also reference our recent security bulletins, which Arctic Wolf issued to address vulnerabilities found in products that Volt Typhoon has targeted in the past. 

Recommendation #2: Implement Phishing-Resistant MFA

Arctic Wolf strongly recommends enabling MFA for all accounts to protect against brute force attacks and compromised accounts being purchased by threat actors on the dark web and used for initial access in ransomware cases. Please note that enabling MFA may have operational considerations in your environment. 

Recommendation #3: Implement Security Awareness Training

Due to the phishing techniques by the threat actors outlined in this bulletin, Arctic Wolf recommends using security awareness training campaigns so that users are better able to recognize and report suspicious activities associated with sophisticated phishing campaigns.

REFERENCES

Success Stories

President, Transportation Company

Your technical support team has always been able to handle our needs quickly, efficiently, and patiently. We appreciate your timeliness and the hours you have saved us. It is great to know that we have people at IT360 capable to provide solutions to our problems.

President, Transportation Company

Recent
Technology News

IT 360 News - Successful Automation, Seamless Invoice Processing
Successful Automation, Seamless Invoice Processing

In the fast-paced world of managed IT services, efficiency and accuracy in financial operations are crucial for maintaining client trust and operational effectiveness. IT360 is proud to announce the successful completion of a critical project aimed at streamlining our invoice processing system, addressing a challenge that had been impacting our financial workflows. Problem Overview: IT360 […]

Read more
IT 360 News - Elevate Your Communication with IT360’s Advanced Phone Solutions
Elevate Your Communication with IT360’s Advanced Phone Solutions

Unleash the Power of Seamless Connectivity Welcome to IT360, where cutting-edge technology meets unparalleled communication efficiency. Our advanced phone systems are expertly designed to cater to the diverse needs of modern businesses, ensuring you stay connected in today’s fast-paced world. Transform your business’s communication infrastructure into a robust, adaptable, and scalable network with our solutions, […]

Read more