Microsoft and the intelligence agencies of the “Five Eyes” nations recently disclosed that a China-based group, tracked under the name Volt Typhoon, infiltrated critical infrastructure organizations in the U.S. and Guam undetected. Active since June 2021, this state-sponsored actor focuses on espionage and information gathering. They use tools already installed or built into infected machines to remain undetected, targeting sectors such as communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
Microsoft moderately believes that the campaign is developing capabilities that could disrupt critical communications infrastructure between the United States and Asia during future crises. The group employs living-off-the-land (LotL) techniques to exfiltrate data from local web browser applications and leverage stolen credentials for backdoor access. Additionally, they route traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.
The group has also been observed using custom versions of open source tools to establish a command-and-control (C2) channel over proxy and compromised servers in its C2 proxy network to conceal the source of the attacks. In one notable incident, the group breached telecommunications networks on the island of Guam, a sensitive U.S. military outpost in the Pacific Ocean, and installed a malicious web shell.
The initial entry vector involves exploiting internet-facing Fortinet FortiGuard devices through an unknown zero-day flaw, although Volt Typhoon has also weaponized flaws in Zoho ManageEngine servers. Microsoft has been assisting targeted or compromised customers with securing their environments, but warns that mitigating such risks can be challenging when threat actors use valid accounts and living-off-the-land binaries (LOLBins).
Secureworks, which tracks the threat group as Bronze Silhouette, noted the group’s careful operational security and reliance on compromised infrastructure to prevent detection and attribution of its intrusion activity. This disclosure coincides with Reuters’ report that Chinese hackers targeted Kenya’s government in a three-year-long series of attacks, allegedly to obtain information about Kenya’s debt to Beijing. The digital offensive is suspected to have been carried out by BackdoorDiplomacy (aka APT15, Playful Taurus, or Vixen Panda), a group known to target government and diplomatic entities across various regions since 2010.
Source: Hackernews
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.