Snatch Ransomware Explained - CISA Alert AA23-263A
Read More
By Hüseyin Can YÜCEEL • June 01, 2023
Related Content
March 4, 2023 • Emerging Threat
CISA Alert AA23-061A: Royal Ransomware Analysis, Simulation and TTPs
READ MOREMarch 17, 2023 • Emerging Threat
CISA Alert AA23-074A: Telerik UI CVE-2019-18935 Vulnerability Exploitation
READ MOREDecember 12, 2022 • Emerging Threat
CISA Alert AA22-321A: Hive Ransomware Analysis, Simulation, TTPs & IOCs
READ MOREMarch 17, 2023 • Emerging Threat
CVE-2023-24880: Vulnerability Exploited by Magniber Ransomware Group
READ MOREOn May 24th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a state-sponsored Chinese APT group, Volt Typhoon [1]. Volt Typhoon threat actors focus on cyber espionage campaigns that target critical infrastructure organizations in the United States and Asia region. For their malicious operations, the APT group primarily uses Living Off The Land Binaries (LOLBins) to evade detection and remain undetected in their target's network.
In this blog post, we explained the tools and techniques used by Volt Typhoon and how they abuse Living Off The Land Binaries (LOLBins).
Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform
Volt Typhoon (also known as BRONZE SILHOUETTE) is a People's Republic of China (PRC) state-sponsored APT group that focuses on stealthy and targeted cyber espionage campaigns against critical infrastructure organizations. The threat group has been actively targeting communications, construction, education, government, information technology, manufacturing, maritime, transportation, and utility sectors for nearly two years.
The main objective of Volt Typhoon is to collect and exfiltrate sensitive information while avoiding detection. For this purpose, the APT group uses living-off-the-land techniques to mask their malicious activities as legitimate operations. The typical espionage campaign for Volt Typhoon follows initial access, living-off-the-land reconnaissance, lateral movement, and data exfiltration through C2 channels, in this order. In each step, adversaries use defense evasion techniques to hide their tracks.
T1078 Valid Accounts & T1190: Exploit Public-Facing Application
Volt Typhoon gains initial access to their target's environment via stolen credentials of valid accounts. Also, Volt Typhoon is known to exploit public-facing Fortinet FortiGuard devices, ManageEngine ADSelfService Plus CVE-2021-40539 RCE, and FatPipe CVE-2021-27860 RCE vulnerabilities for initial access.
T1047 Windows Management Instrumentation
Adversaries use Windows Management Instrumentation for discovery, credential dumping, and command execution.
//Information gathering from compromised host |
T1059 Command and Scripting Interpreter
Threat actors use PowerShell and Windows Command Shell to execute malicious commands in compromised hosts.
//Copying volume shadow copies //Dumping LSASS memory for credential access |
T1505.003 Server Software Component: Web Shell
Volt Typhoon deploys backdoor web shells to maintain persistent access to compromised networks. The webshell appears to be a derivative of the Awen webshell that includes AES-encrypted or base64-encoded communication capabilities for C2.
//Snippet from C# based Awen-derivative webshell string ExcuteCmd (string arg) |
T1546 Hide Artifacts & T1070 Indicator Removal
Volt Typhoon selectively removes Windows Event Logs, system logs, artifacts, and other evidence of their malicious activity to hide their presence and limit threat- hunting activities.
T1003 OS Credential Dumping
As a cyber espionage group, Volt Typhoon gathers credentials of valid accounts in their victims' network. These credentials help them navigate and execute commands in the network without raising alerts. For credential dumping, they extract ntds.dit file and SYSTEM registry hive from Windows domain controllers or volume shadow copies. From the extracted ntds.dit and SECURITY files, Volt Typhoon harvest credentials of valid accounts.
//creating volume shadow copy //extracting ntds.dit from shadow copy |
Volt Typhoon enumerates compromised networks to discover users, hosts, and services. The gathered information is leveraged in data exfiltration and lateral movement phases of the attack campaign.
//T1033 System Owner/User Discovery //T1069 Permission Groups Discovery whoami net localgroup administrators net group /dom net group "Domain Admins" /dom //T1016 System Network Configuration Discovery //T1082 System Information Discovery arp -a dnscmd . /enumrecords /zone {REDACTED} ipconfig /all netsh interface firewall show all netsh interface portproxy show all netsh interface portproxy show v4tov4 netsh firewall show all netsh portproxy show v4tov4 netstat -ano reg query hklm\software\ systeminfo tasklist /v wmic volume list brief wmic service brief wmic product list brief wmic baseboard list full |
T1090 Proxy
Volt Typhoon uses compromised small office/home office (SOHO) network devices as a proxy to hide the malicious traffic between their victims' network and C2 servers.
We also strongly suggest simulating Volt Typhoon attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as Lazarus, Turla, APT33, and Sandworm, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Volt Typhoon group:
Threat ID |
Threat Name |
Attack Module |
55804 |
Volt Typhoon Threat Group Campaign 2023 |
Endpoint |
References
[1] "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
Related Content
March 4, 2023 • Emerging Threat
CISA Alert AA23-061A: Royal Ransomware Analysis, Simulation and TTPs
READ MOREMarch 17, 2023 • Emerging Threat
CISA Alert AA23-074A: Telerik UI CVE-2019-18935 Vulnerability Exploitation
READ MOREDecember 12, 2022 • Emerging Threat
CISA Alert AA22-321A: Hive Ransomware Analysis, Simulation, TTPs & IOCs
READ MOREMarch 17, 2023 • Emerging Threat
CVE-2023-24880: Vulnerability Exploited by Magniber Ransomware Group
READ MORE