Chinese State-sponsored Group Volt Typhoon Targeting US Critical Infra

By Sean Duca, Palo Alto Networks - VP and Regional Chief Security Officer for Asia Pacific & Japan:

"Microsoft's investigation into Volt Typhoon's malicious activities reveals how critical infrastructures can be compromised using Living-Off-Lotland (LotL) cyberattacks. This technique involves attackers leveraging existing tools and utilities on a compromised system for malicious activities. The tools may include PowerShell, WMI, command-line interfaces, and batch files. A typical LotL attack consists of three phases.

First,  in reconnaissance, the attacker gathers information about the compromised system, including architecture, software versions, network configuration, and user privileges. This helps identify strengths, weaknesses, and potential exploitation avenues. Second, during the initial access phase, the breach occurs due to vulnerabilities in network devices or unsafe user actions like visiting malicious websites, opening phishing emails, or using infected USB drives. These contain the attack kit with a fileless script. Third, malicious activity execution involves escalating privileges, exfiltrating data, and modifying system configurations. Achieving malicious goals while flying under the radar is vital to this operation. 

Mitigation measures:

Corporations, governments, and critical infrastructure providers must revise their cybersecurity strategies to address increasingly sophisticated threats, integrating host and network-based defences. For example, relying solely on endpoint monitoring may allow attackers to evade detection, but network-based defences scrutinise traffic patterns and unexpected communications. As a result, the most effective strategies employ endpoint and network-based defences in tandem, using insights from one system to enhance the other and work together to protect an organisation better. 

At the end-user level, implementing application whitelisting ensures that only approved and trusted applications can run on the network. This proactive measure restricts the execution of unauthorised programs or scripts, mitigating the risk of LOtL attacks. 

LotL attackers also exploit known vulnerabilities in outdated software to gain unauthorised access. Therefore, automated scanning and updating systems across the network are essential to decrease risk. Additionally, using AI-enabled advanced access management solutions, security professionals can focus on intelligence and automation while letting the intelligence and automation manage information and events, thus enabling near real-time detection and response.”