Volt Typhoon old news for Check Point

Last Wednesday, Microsoft issued warning claiming that state-backed Chinese hackers have breached "critical" cyber infrastructure in various industries, including government and communications organizations.

volt typhoon

"The United States and international cybersecurity authorities are issuing this joint cybersecurity advisory (CSA) to highlight the newly discovered group associated with a state-sponsored cyber agent of the People's Republic of China (PRC), also known as Volt Typhoon," refers to a statement issued by the authorities of the US, Australia, Canada, New Zealand and the United Kingdom – countries that make up the Five Eyes intelligence network.

In this recommendation, and in an accompanying one suspension on Microsoft's blog, it is described that Volt Typhoon forwards all its network traffic to its targets via mediation through compromised SOHO network edge devices (including routers). Many of the devices, including those made by ASUS, Cisco, D-Link, NETGEAR and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet. 

Target Network Devices: Not for the first time

Attacks originating from China-based cyberespionage groups are nothing new to Check Point Research and the cybersecurity community. Chinese APT groups such as Volt Typhoon have a history of sophisticated cyberespionage campaigns. Their primary motivation is often to gather strategic intelligence, target disruption, or simply confirm a position in networks for future operations. The recent announcement identifies a variety of techniques used by these threat actors, but of particular interest is their focus on "living off the ground" and exploiting network devices such as routers.

Recently, in the last one of report, Check Point Research (CPR) revealedε that in recent months watches ptena a series of targeted attacks on European foreign affairs bodies. These campaigns have been linked to a Chinese state-sponsored APT group that watch as Camaro Dragon, which shares similarities with the previously mentioned activities που are conducted by state-sponsored Chinese threat actors, namely Mustang Panda.

Comprehensive analysis of these attacks revealed a malicious firmware patch tailored for TP-Link routers. The implant features several malicious components, including a custom backdoor named “Horse Shell” that allows attackers to maintain permanent access, create anonymous infrastructure, and allow lateral movement into compromised networks.

The US is not the only target of espionage

In March 2023, we unraveled the tangle of Chinese-origin espionage attacks against government entities in Southeast Asia, particularly nations with similar territorial claims or strategic infrastructure projects, such as Vietnam, Thailand, and Indonesia.

In July 2021, the CERT-FR reported a major campaign conducted by the Chinese threat actor APT31. They discovered that the attacker was using a mesh network of compromised routers that were orchestrated using malware they called “Pakdoor”.

In a previous one recommendation of CISA from 2021, listed common techniques used by Chinese-sponsored APTs. Among them they state that attackers target vulnerable routers as part of their operational infrastructure to avoid detection and host Command and Control activity.

Why are edge devices central to the attack strategy?

Recent years have seen the growing interest of Chinese threat actors in compromising endpoint devices, with the goal of both creating resilient and more anonymous C&C infrastructures and gaining footholds in certain targeted networks.

Often considered the perimeter of an organization's digital estate, network devices such as routers serve as the first point of contact for Internet communication. They are responsible for routing and managing network traffic, both legitimate and potentially malicious. By compromising these devices, attackers can mix their traffic with legitimate communications, making detection significantly more difficult. These devices, when reset or compromised, also allow attackers to funnel communications through the network, effectively anonymizing their traffic and avoiding traditional detection methods.

This strategy also complements Volt Typhoon's “living except Earthς". Instead of using malware, which can be detected by many modern security systems, these actors use built-in network management tools such as wmic, ntdsutil, netsh, and PowerShell. Malicious activities get lost in the sea of ​​benign ones management, making it difficult for defenders to identify attackers among legitimate users.

Such techniques also allow the APT team to maintain its persistence on the network. Hacking Small Office/Home Office (SOHO) network devices can be used as an intermediate infrastructure to hide their true origin and maintain control of a network even if other elements of their operation are discovered and removed. A backdoor is a powerful tool for an APT, allowing for a second wave of attacks or leakage even when an organization believes the threat has been neutralized.

Η -agnostic nature of the attacks

Η of the diagnostic nature of the firmware of the implanted components indicates that a wide range of devices and vendors may be at risk.

In addition, the discovery of the diagnostic nature of the firmware of the implanted components indicates that a wide range of devices and vendors may be at risk. We hope that our research will help improve the security posture of both organizations and individuals. In the meantime, remember to keep your network devices up-to-date and secure and watch out for any suspicious activity on your network

Protecting your network

The revelation of recent spyware attacks underscores the importance of taking action from similar attacks. Here are some recommendations for detection and protection:

  • Software Updates

Regularly updating the firmware and software of routers and other devices is critical to preventing vulnerabilities that attackers can exploit.

  • Up-to-Date Patches
    Keeping computers up-to-date and applying security patches, especially those designated as critical, can help reduce an organization's vulnerability to ransomware attacks, as these patches are often overlooked or too late to provide the required protection.

  • Default Credentials
    Change the default login credentials of any internet-connected device to stronger passwords and use multi-factor authentication whenever possible. Attackers often scan the internet for devices that still using default or weak credentials.

  • Of Vital Importance is Pcapture Threats

Check Point's network security solutions provide advanced threat prevention and real-time network protection against sophisticated attacks like those used by the Camaro Dragon APT team. This includes protection against exploits, malware and other advanced threats. The Quantum IoT Protect by Check Point automatically detects and maps IoT devices and assesses risk, prevents unauthorized access to and from IoT/OT devices with zero-trust profiling and segmentation, and prevents attacks against IoT devices.

Manufacturers can better secure their devices from malware and cyberattacks. New regulations in the US and Europe require vendors and manufacturers to ensure that devices do not pose risks to users and to include safety features inside the device.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.081 registrants.
Volt Typhoon, Check Point

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).