Microsoft: Chinese hackers (Volt Typhoon) breach US infrastructure

According to Microsoft, the Chinese cyber espionage group it's tracking called Volt Typhoon is targeting critical infrastructure organizations across the US, including Guam, at least until mid-2021.

chinese hacker

Its victims include a wide range of critical sectors such as government, shipping, telecommunications, manufacturing, , utilities, transport, construction and education.

The first attack vector is device tampering FortiGuard exposed to the internet by exploiting an unknown 0day vulnerability.

Once the target's network is compromised, they can use hands-on activities with the keyboard and PowerShell, Certutil, Netsh, Windows Management Instrumentation Line (WMIC) etc. Live off-the-land binaries (LOLBin) to launch what Microsoft describes as “living off-the-land” attacks.

However, according to a joint advisory released today by the FBI, NSA, CISA and the Australian, New Zealand, UK and Canadian cyber security agencies, they have identified Fast Reverse Proxy (frp), the hacking tool Mimikatz credentials, the Impacket network and frameworks, and more code have also been observed.

Volt Typhoon combines malicious activity with legitimate network traffic to evade detection, including ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel routers, firewalls, and VPN devices in compromised small and home office (SOHO) environments.

Using the privileged access gained after a Fortinet appliance is compromised, government hackers can deny credentials through the Local Security Authority Subsystem Service (LSASS).

The stolen credentials allow them to deploy an Awen-based web shell to export and persist data to the compromised system.

china hackers

As Mandiant Intelligence chief analyst John Hultquist said, these intrusions into US critical infrastructure organizations are a concerted effort to give China the advantage in the event of a future conflict between the two countries. It appears to be part of a concerted effort to give access to China in the event of a future conflict between the two countries.

"There are many reasons for targeting critical infrastructure, but an unrelenting focus on these areas may indicate preparations for disruptive or destructive cyber attacks," said Hultquist.

States conduct long-term incursions into critical infrastructure to prepare for potential conflicts. Similar emergency invasions are regularly carried out by states.

Over the past decade, Russia has targeted several critical infrastructure sites in operations that would not be considered rapid launch operations. China has similarly targeted the oil and gas sector in the past. While these operations are aggressive and potentially dangerous, they do not necessarily indicate that an attack is imminent."

Microsoft said it followed its normal procedures and proactively contacted all customers targeted or compromised in these attacks, providing them with the information they needed to protect their networks from future breach attempts.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.084 registrants.
Volt Typhoon, Microsoft

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).