{"id":23898,"date":"2024-02-09T07:10:25","date_gmt":"2024-02-09T15:10:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/02\/09\/news-17628\/"},"modified":"2024-02-09T07:10:25","modified_gmt":"2024-02-09T15:10:25","slug":"news-17628","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/02\/09\/news-17628\/","title":{"rendered":"FBI and CISA publish guide to Living off the Land techniques"},"content":{"rendered":"\n

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other authoring agencies have released a joint guidance<\/a> about common living off the land (LOTL) techniques and common gaps in cyber defense capabilities.<\/p>\n

Living Off The Land (LOTL) is a covert cyberattack technique in which criminals carry out malicious activities using legitimate IT administration tools. <\/p>\n

This joint guidance comes alongside a joint Cybersecurity Advisory<\/a> (CSA) called\u00a0PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure.<\/p>\n

These publications are a reaction to recent warnings about attacks on critical infrastructure by groups allegedly connected to the Chinese (PRC) government.<\/p>\n

The FBI recently used a court order to remove malware from hundreds of routers across the US<\/a> because it believed the attack was the work of an Advanced Persistent Threat (APT) group<\/a>\u00a0known as Volt Typhoon. US officials said the botnet was designed to give Chinese attackers persistent access to critical infrastructure. Routing their traffic through these gateways would hide the actual origin of malicious attempts to reach inside utilities and other targets.<\/p>\n

In May of 2023, Microsoft uncovered<\/a> stealthy and targeted malicious activity by Volt Typhoon. The activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.<\/p>\n

As Jen Easterly, the director of CISA put it in a hearing<\/a> before the House Select Committee<\/p>\n

\n

\u201cWe have seen a deeply concerning evolution of Chinese targeting of US critical infrastructure. We have seen them burrowing deep into critical infrastructure to enable destructive attacks. This is a world where a crisis across the world could well endanger the lives of Americans here.\u201d<\/p>\n<\/blockquote>\n

And it\u2019s not just the US. The Dutch Military Intelligence Service (MIVD)<\/a> found a Remote Access Trojan (RAT) on one of their networks which they identified as Chinese malware.<\/p>\n

The Living of the Land (LOTL)<\/a> guide does not exclusively focus on Chinese state actors though. It also includes methods deployed by Russian Federation state-sponsored actors, and will likely apply to Ransomware-as-a-Service (RaaS) gangs that leverage legitimate tools to evade detection too.<\/p>\n

So, it\u2019s important to be aware of what your cybersecurity team, internal or managed (MDR)<\/a> should be looking for when it comes to suspicious use of legitimate tools, unusual network connections, and other signs of malicious activities.<\/p>\n

The guidance stipulates that LOTL is particularly effective because:<\/p>\n