In this blog, we’ll review Volt Typhoon, dig into how they evade detection, discuss CISA’s protective recommendations, and see how Malwarebytes EDR can help eliminate such threats.<\/p>\n
Who is Volt Typhoon?<\/h2>\n
Given their ties to the Chinese government, it’s fair to label Volt Typhoon as an Advanced Persistent Threat (APT) group<\/a>.<\/p>\n Well-funded and made up of an elite squadron of hackers, APT groups target high-value entities like governments, large corporations, or critical infrastructure. They often deploy multi-stage, multi-vector approaches with a high degree of obfuscation and persistence.<\/p>\n Volt Typhoon is no exception.<\/p>\n Since their arrival on the scene in mid-2021, Volt Typhoon has targeted several critical infrastructure organizations in Guam and elsewhere in the United States. Their victims come from a wide-range of industries, including communications, government, information technology (IT), education, and more.<\/p>\n Observed behavior suggests that the aim of Volt Typhoon is, like most APT groups, not a quick hit but a long-term presence within a system, allowing them to gather as much information as possible while remaining undetected.<\/p>\n Now that we know the basics of who Volt Typhoon is and what they’re after, let’s dive into the specifics of their tools, techniques, and procedures (TTPs).<\/p>\n At the heart of Volt Typhoon’s espionage campaigns are their use of living off the land (LOTL) attacks, which are instances when attackers leverage legitimate tools to evade detection.<\/p>\n The fact that so much of the CISA advisory revolves around Volt Typhoon’s use of LOTL techniques emphasizes that these types of threats are a serious concern. By mimicking normal system behavior, LOTL attacks make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities.<\/p>\n Some of the built-in tools Volt Typhoon uses are wmic, ntdsutil, netsh, and PowerShell.<\/p>\n Let’s look at two examples of how Volt Typhoon uses LOTL attacks at different stages in the attack chain.<\/p>\n Volt Typhoon gathers information about local drives using the wmic command, which is a part of the legitimate Windows Management Instrumentation (WMI) toolset.<\/p>\n This command line tool lets them gather details like drive letter, filesystem type, free space, and volume name without needing administrative privileges.<\/p>\n Understanding the storage layout and capacity of the host machine in this way can, for example, help them tailor their tools and techniques to the specific system.<\/p>\n Volt Typhoon attempts to capture two vital assets from Windows Domain Controllers (DCs): the ntds.dit file and the SYSTEM registry hive. Both of these contain a wealth of data, including user details, group affiliations, and encrypted passwords—all of which can be goldmines for unauthorized actors.<\/p>\n To access this information, they utilize the built-in Windows service called Volume Shadow Copy Service. This service helps them create clones of the ntds.dit file and the SYSTEM registry hive, both typically locked due to their importance.<\/p>\n These cloned copies allow Volt Typhoon to avoid modifying the original files, thereby maintaining stealth. By acquiring these files, the attackers can work towards decrypting passwords offline without raising alarms.<\/p>\n Uncovering LOTL attacks such as the type that Volt Typhoon uses requires picking up on subtle anomalies or patterns in system behaviors.<\/p>\n Likewise, CISAs advice to businesses emphasizes the importance of enhancing detection of potential LOTL attacks through robust logging mechanisms, inspecting abnormal account activities, and more:<\/p>\nHow Volt Typhoon evades detection<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/business\/2023\/05\/easset_upload_file2336_267684_e.jpg\")
Script Block Logging records all blocks of code as they’re executed by PowerShell, which could you point to suspicious activity. Source<\/a>.<\/em><\/p>\nLOTL Example #1: Reconnaissance<\/h3>\n
cmd.exe \/C \"wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename\"<\/code><\/p>\nLOTL Example #2: Credential Access<\/h3>\n
cmd \/c vssadmin create shadow \/for=C: > C:WindowsTemp<filename>.tmp<\/code><\/p>\ncmd \/c copy \\?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit<\/code>C:WindowsTemp > C:WindowsTemp<filename>.tmp<\/code><\/p>\nCISA best practices<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/business\/2023\/05\/easset_upload_file45569_267684_e.png\")
<\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/business\/2023\/05\/easset_upload_file25138_267684_e.png\")
Responding to nation-state sponsored attacks quickly and effectively<\/h2>\n