19/11/2024 | News release | Archived content
Volt Typhoon, a state-sponsored actor linked to the People's Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.
The cyberthreat landscape is always evolving, with security teams continuously facing new threats and attacks from a myriad of malicious groups, including ransomware gangs and small collectives chasing financial gain or even clout in the hacking community. Meanwhile, advanced persistent threat (APT) actors continue to loom in the shadows, carefully planning and executing their next attack. One such APT group is Volt Typhoon, a People's Republic of China (PRC) state-sponsored actor. Volt Typhoon has been the subject of multiple cybersecurity advisories (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA) along with joint partners, including international cybersecurity agencies, with warnings of the threat group targeting critical infrastructure in the U.S. and beyond. According to multiple reports, Volt Typhoon operates by pre-positioning themselves, actively working to maintain persistence in anticipation of conducting future attacks targeting U.S critical infrastructure, showing a specific interest in operational technology (OT) environments. Targeted sectors include communications, energy, transportation systems and water and wastewater systems. Volt Typhoon, historically associated with BRONZE SILHOUETTE, has been categorized under various aliases by different threat intelligence teams. These include Voltzite and Insidious Taurus in certain intelligence circles, DEV-0391 by Microsoft and UNC3236 by Mandiant (FireEye) before its formal attribution as Volt Typhoon. Additionally, CrowdStrike tracks the group under the name Vanguard Panda. As we examine the tactics, techniques and procedures (TTPs) employed by Volt Typhoon, we will also discuss known vulnerabilities associated with this threat actor.
Volt Typhoon is a sophisticated threat group whose expertise lies in maintaining persistence for as long as possible. They achieve this by blending in with seemingly normal-looking traffic using living off the land (LOTL) techniques, meaning they'll utilize an operating system's (OS) built-in tools. Additionally, this group works using hands-on-keyboard attacks, rather than relying on automated malware scripts. This allows them to customize their attacks and conduct reconnaissance of a target in a stealthy manner. Volt Typhoon typically gains initial access to targets by exploiting unpatched vulnerabilities including zero-day flaws. In an effort to make traffic to their targets seem more benign, they utilize compromised small-office home-office (SOHO) routers and network devices as intermediary devices to proxy their traffic. This makes their network traffic seem legitimate and helps to avoid any geolocation firewall rules. For more information, read the blog Volt Typhoon: What State and Local Government Officials Should Know.
Source: Microsoft Threat Intelligence
Initial access
Volt Typhoon typically gains initial access to targeted systems by exploiting vulnerabilities in publicly exposed systems, specifically firewalls, VPN appliances and web servers. The group takes advantage of weak credentials and unpatched vulnerabilities in perimeter devices. Once inside, Volt Typhoon leverages legitimate tools already present within the system to avoid detection.
SOHO devices: unsecured, unpatched and misconfigured
Thanks to unpatched, end-of-life (EOL) or misconfigured network devices that are internet accessible, Volt Typhoon capitalizes on compromising these devices in order to proxy their traffic and utilize the devices as launch points for their attacks. This includes devices from ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe and Zyxel USG. These network devices are widely used and many EOL devices have known and exploitable vulnerabilities with readily available exploit code. Others may be misconfigured, leaving administrative portals internet accessible and utilizing default credentials. Once compromised, these devices are then implanted with the KV Botnet malware.
Living-off-the-land tactics
Rather than deploying custom malware or tools, Volt Typhoon uses native Windows tools like cmd.exe, netsh and PowerShell to execute commands and conduct lateral movement across compromised networks. By avoiding the use of external tools, the group minimizes their digital footprint, making detection through traditional signature-based antivirus systems more challenging. Many of these commands are not logged by the OS and, in cases where logging is enabled, the threat actors can rotate or delete the logs to hide evidence of the commands they executed.
Credential harvesting and lateral movement
Volt Typhoon utilizes credential dumping techniques to extract valuable login information from compromised systems. Tools like Mimikatz are deployed to extract credentials from memory, which are used to move laterally across the network. Remote desktop protocol (RDP) and other remote desktop tools are often used to facilitate further access to internal systems.
Once inside, Volt Typhoon maintains persistence by modifying legitimate software and using the built-in Windows Task Scheduler to establish scheduled tasks for regular access, ensuring long-term surveillance capabilities. The threat actor focuses on exfiltrating sensitive data and monitoring critical infrastructure communications.
Volt Typhoon has been observed creating a shadow copy of ntds.dit, the main Active Directory (AD) database. This file contains password hashes which the threat actor can attempt to crack offline and utilize any stolen passwords to continue exploitation of a network. Because they rely on using built-in OS commands, they are able to keep a low profile and evade endpoint detection and response (EDR) solutions in what seems like benign system activity.
Known CVEs commonly exploited by Volt Typhoon
While not an exhaustive list, the table below highlights some of the CVEs known to have been exploited by Volt Typhoon.
CVE | Description | CVSSv3 Score | VPR |
CVE-2021-27860 | FatPipe WARP, IPVPN, MPVPN Unrestricted Upload of File with Dangerous Type | 8.8 | 7.4 |
CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | 9.8 | 9 |
CVE-2022-42475 | Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability | 9.8 | 8.9 |
CVE-2023-27997 | Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability | 9.8 | 9 |
CVE-2024-39717 | Versa Director File Upload Vulnerability | 7.2 | 8.4 |
*Please note: Tenable's Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on November 19 and reflects VPR at that time.
Unpatched VPNs targeted - a recurring trend
Volt Typhoon's exploitation of unpatched vulnerabilities in Virtual Private Network (VPN) solutions is part of a broader trend seen across many APT groups. Threat actors leverage these VPN flaws to bypass security controls and establish long-term access within networks. Their focus on exploiting unpatched VPNs mirrors tactics of other state-sponsored actors, such as the Iranian threat actors detailed in the AA24-241A Joint Cybersecurity Advisory, who similarly target and exploit known VPN vulnerabilities to gain initial access and carry out espionage or disruptive campaigns. This recurring pattern underscores the critical need for organizations, particularly those in critical infrastructure, to prioritize patch management and ensure robust security for VPN systems.
The availability of proof-of-concept (PoC) exploits for the vulnerabilities exploited by Volt Typhoon varies across different CVEs. For CVE-2021-27860, there is no known public PoC currently available. In contrast, CVE-2021-40539, a vulnerability in Zoho ADSelfService Plus, has a partial PoC provided by Synacktiv, both in the form of a technical analysis and a working exploit shared on GitHub. This resource offers detailed guidance on how to achieve remote code execution by manipulating requests to the vulnerable service.
For CVE-2022-42475 and CVE-2023-27997 impacting Fortinet's FortiOS and FortiProxy SSL-VPN systems, public PoCs are readily available on platforms like GitHub (CVE-2023-27997 for example) and have been widely shared on X (formerly Twitter). These PoCs demonstrate how attackers can exploit heap-based buffer overflows to achieve remote code execution, highlighting the criticality of patching affected systems.
Lastly, there is no publicly available PoC for CVE-2024-39717, a newly disclosed file upload vulnerability in Versa Director.
The varying availability of these PoCs stresses the need for organizations to proactively patch and monitor for signs of exploitation.
Each of the vulnerabilities flagged as targeted by Volt Typhoon have patches and mitigations released by the respective vendors. We recommend reviewing each of the vendors' advisories shown below:
Tenable offers several solutions to help identify potential exposures and attack paths as well as identifying systems vulnerable to the CVEs mentioned in this blog. For a holistic approach, we recommend Tenable One. The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies - including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.
Tenable Plugin Coverage
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2021-40539, CVE-2021-27860, CVE-2022-42475, CVE-2023-27997 and CVE-2024-39717. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Tenable attach path techniques
MITRE ATT&CK ID | Description | Tenable attack path techniques |
T1003.001 | OS Credential Dumping: LSASS Memory | T1003.001_Windows |
T1003.003 | OS Credential Dumping: NTDS | T1003.003_Windows |
T1012 | Query Registry | T1012_Windows |
T1059.001 | Command and Scripting Interpreter: PowerShell | T1059.001_Windows |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | T1059.003_Windows |
T1069.001 | Permission Groups Discovery: Local Groups | T1069.001_Windows |
T1069.002 | Permission Groups Discovery: Domain Groups | T1069.002_Windows |
T1078.002 | Valid Accounts: Domain Accounts | T1078.002_Windows |
T1053 | Scheduled Task/Job: Scheduled Task | T1053.005_Windows |
T1110.003 | Brute Force: Password Spraying | T1110.003_Windows |
T1518 | Software Discovery | T1518.001_Windows |
Tenable Identity Exposure Indicators of Exposure and Indicators of Attack
MITRE ATT&CK ID | Description | Indicators |
T1003 | OS Credential Dumping | C-ADM-ACC-USAGE |
T1003.001 | OS Credential Dumping: LSASS Memory | C-PROTECTED-USERS-GROUP-UNUSEDI-ProcessInjectionLsass |
T1003.003 | OS Credential Dumping: NTDS | I-NtdsExtraction |
T1069.001 | Permission Groups Discovery: Local Groups | I-ReconAdminsEnum |
T1110 | Brute Force | C-PASSWORD-HASHES-ANALYSISC-PASSWORD-POLICYMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNTMISSING-MFA-FOR-PRIVILEGED-ACCOUNT |
T1110.003 | Brute Force: Password Spraying | I-PasswordSpraying |
Tenable Web App Scanning
MITRE ATT&CK ID | Description | Indicators |
T1190 | Exploit Public-Facing Application | T1190_WAS |
Join Tenable's Security Response Teamon the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.