Security News > 2023 > May > Five Eyes agencies detail how Chinese hackers breached US infrastructure
The National Security Agency and Five Eyes partner agencies have identified indicators of compromise associated with a People's Republic of China state-sponsored cyber actor dubbed Volt Typhoon, which is using living off the land techniques to target networks across US critical infrastructure.
The authoring agencies also includes a summary of indicators of compromise values, such as unique command-line strings, hashes, file paths, exploitation of CVE-2021-40539 and CVE-2021-27860 vulnerabilities, and file names commonly used by this actor.
As one of their primary tactics, techniques, and procedures of living off the land, the PRC actor uses tools already installed or built into a target's system.
This allows the actor to evade detection by blending in with normal Windows systems and network activities, avoiding endpoint detection and response products, and limiting the amount of activity that is captured in default logging configurations.
The NSA recommends network defenders apply the detection and hunting guidance in the cybersecurity advisory, such as logging and monitoring of command line execution and WMI events, as well as ensuring log integrity by using a hardened centralized logging server, preferably on a segmented network.
Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared.
News URL
https://www.helpnetsecurity.com/2023/05/25/volt-typhoon/
Related news
- US charges Chinese hackers linked to critical infrastructure breaches (source)
- Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits (source)
- Chinese military-linked companies dominate US digital supply chain (source)
- Chinese Weaver Ant hackers spied on telco network for 4 years (source)
- Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps (source)
- Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- China reportedly admitted directing cyberattacks on US infrastructure (source)
- Chinese snoops use stealth RAT to backdoor US orgs – still active last week (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-08 | CVE-2021-27860 | Unrestricted Upload of File with Dangerous Type vulnerability in Fatpipeinc Ipvpn Firmware and Warp Firmware A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. | 8.8 |
| 2021-09-07 | CVE-2021-40539 | Use of Incorrectly-Resolved Name or Reference vulnerability in Zohocorp Manageengine Adselfservice Plus Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. | 9.8 |