The National Security Agency (NSA) and Five Eyes partner agencies have identified indicators of compromise associated with a People’s Republic of China (PRC) state-sponsored cyber actor dubbed Volt Typhoon, which is using living off the land techniques to target networks across US critical infrastructure.
Volt Typhoon loves living off the land
The joint cybersecurity advisory provides an overview of hunting guidance and associated best practices. It includes examples of the actor’s commands and detection signatures.
The authoring agencies also includes a summary of indicators of compromise (IOC) values, such as unique command-line strings, hashes, file paths, exploitation of CVE-2021-40539 and CVE-2021-27860 vulnerabilities, and file names commonly used by this actor.
As one of their primary tactics, techniques, and procedures (TTP) of living off the land, the PRC actor uses tools already installed or built into a target’s system. This allows the actor to evade detection by blending in with normal Windows systems and network activities, avoiding endpoint detection and response (EDR) products, and limiting the amount of activity that is captured in default logging configurations.
Detection and threat hunting
The NSA recommends network defenders apply the detection and hunting guidance in the cybersecurity advisory, such as logging and monitoring of command line execution and WMI events, as well as ensuring log integrity by using a hardened centralized logging server, preferably on a segmented network.
Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared.
The behavioral indicators noted in the CSA can also be legitimate system administration commands that appear in benign activity. Defenders must evaluate matches to determine the significance, applying their knowledge of the system and baseline behavior.
Microsoft and Secureworks researchers have also released details about the Volt Typhoon (aka Bronze Silhouette) campaigns they detected. They have shared indicators of compromise and mitigation and protection guidance.