Tenable Holdings Inc.

19/11/2024 | News release | Archived content

Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors

Volt Typhoon, a state-sponsored actor linked to the People's Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.

Background

The cyberthreat landscape is always evolving, with security teams continuously facing new threats and attacks from a myriad of malicious groups, including ransomware gangs and small collectives chasing financial gain or even clout in the hacking community. Meanwhile, advanced persistent threat (APT) actors continue to loom in the shadows, carefully planning and executing their next attack. One such APT group is Volt Typhoon, a People's Republic of China (PRC) state-sponsored actor. Volt Typhoon has been the subject of multiple cybersecurity advisories (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA) along with joint partners, including international cybersecurity agencies, with warnings of the threat group targeting critical infrastructure in the U.S. and beyond. According to multiple reports, Volt Typhoon operates by pre-positioning themselves, actively working to maintain persistence in anticipation of conducting future attacks targeting U.S critical infrastructure, showing a specific interest in operational technology (OT) environments. Targeted sectors include communications, energy, transportation systems and water and wastewater systems. Volt Typhoon, historically associated with BRONZE SILHOUETTE, has been categorized under various aliases by different threat intelligence teams. These include Voltzite and Insidious Taurus in certain intelligence circles, DEV-0391 by Microsoft and UNC3236 by Mandiant (FireEye) before its formal attribution as Volt Typhoon. Additionally, CrowdStrike tracks the group under the name Vanguard Panda. As we examine the tactics, techniques and procedures (TTPs) employed by Volt Typhoon, we will also discuss known vulnerabilities associated with this threat actor.

Analysis

Volt Typhoon is a sophisticated threat group whose expertise lies in maintaining persistence for as long as possible. They achieve this by blending in with seemingly normal-looking traffic using living off the land (LOTL) techniques, meaning they'll utilize an operating system's (OS) built-in tools. Additionally, this group works using hands-on-keyboard attacks, rather than relying on automated malware scripts. This allows them to customize their attacks and conduct reconnaissance of a target in a stealthy manner. Volt Typhoon typically gains initial access to targets by exploiting unpatched vulnerabilities including zero-day flaws. In an effort to make traffic to their targets seem more benign, they utilize compromised small-office home-office (SOHO) routers and network devices as intermediary devices to proxy their traffic. This makes their network traffic seem legitimate and helps to avoid any geolocation firewall rules. For more information, read the blog Volt Typhoon: What State and Local Government Officials Should Know.

Source: Microsoft Threat Intelligence

Initial access

Volt Typhoon typically gains initial access to targeted systems by exploiting vulnerabilities in publicly exposed systems, specifically firewalls, VPN appliances and web servers. The group takes advantage of weak credentials and unpatched vulnerabilities in perimeter devices. Once inside, Volt Typhoon leverages legitimate tools already present within the system to avoid detection.

SOHO devices: unsecured, unpatched and misconfigured

Thanks to unpatched, end-of-life (EOL) or misconfigured network devices that are internet accessible, Volt Typhoon capitalizes on compromising these devices in order to proxy their traffic and utilize the devices as launch points for their attacks. This includes devices from ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe and Zyxel USG. These network devices are widely used and many EOL devices have known and exploitable vulnerabilities with readily available exploit code. Others may be misconfigured, leaving administrative portals internet accessible and utilizing default credentials. Once compromised, these devices are then implanted with the KV Botnet malware.

Living-off-the-land tactics

Rather than deploying custom malware or tools, Volt Typhoon uses native Windows tools like cmd.exe, netsh and PowerShell to execute commands and conduct lateral movement across compromised networks. By avoiding the use of external tools, the group minimizes their digital footprint, making detection through traditional signature-based antivirus systems more challenging. Many of these commands are not logged by the OS and, in cases where logging is enabled, the threat actors can rotate or delete the logs to hide evidence of the commands they executed.

Credential harvesting and lateral movement

Volt Typhoon utilizes credential dumping techniques to extract valuable login information from compromised systems. Tools like Mimikatz are deployed to extract credentials from memory, which are used to move laterally across the network. Remote desktop protocol (RDP) and other remote desktop tools are often used to facilitate further access to internal systems.

Once inside, Volt Typhoon maintains persistence by modifying legitimate software and using the built-in Windows Task Scheduler to establish scheduled tasks for regular access, ensuring long-term surveillance capabilities. The threat actor focuses on exfiltrating sensitive data and monitoring critical infrastructure communications.

Volt Typhoon has been observed creating a shadow copy of ntds.dit, the main Active Directory (AD) database. This file contains password hashes which the threat actor can attempt to crack offline and utilize any stolen passwords to continue exploitation of a network. Because they rely on using built-in OS commands, they are able to keep a low profile and evade endpoint detection and response (EDR) solutions in what seems like benign system activity.

Known CVEs commonly exploited by Volt Typhoon

While not an exhaustive list, the table below highlights some of the CVEs known to have been exploited by Volt Typhoon.

CVE Description CVSSv3 Score VPR
CVE-2021-27860 FatPipe WARP, IPVPN, MPVPN Unrestricted Upload of File with Dangerous Type 8.8 7.4
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability 9.8 9
CVE-2022-42475 Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability 9.8 8.9
CVE-2023-27997 Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability 9.8 9
CVE-2024-39717 Versa Director File Upload Vulnerability 7.2 8.4

*Please note: Tenable's Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on November 19 and reflects VPR at that time.

Unpatched VPNs targeted - a recurring trend

Volt Typhoon's exploitation of unpatched vulnerabilities in Virtual Private Network (VPN) solutions is part of a broader trend seen across many APT groups. Threat actors leverage these VPN flaws to bypass security controls and establish long-term access within networks. Their focus on exploiting unpatched VPNs mirrors tactics of other state-sponsored actors, such as the Iranian threat actors detailed in the AA24-241A Joint Cybersecurity Advisory, who similarly target and exploit known VPN vulnerabilities to gain initial access and carry out espionage or disruptive campaigns. This recurring pattern underscores the critical need for organizations, particularly those in critical infrastructure, to prioritize patch management and ensure robust security for VPN systems.

Proof of concept

The availability of proof-of-concept (PoC) exploits for the vulnerabilities exploited by Volt Typhoon varies across different CVEs. For CVE-2021-27860, there is no known public PoC currently available. In contrast, CVE-2021-40539, a vulnerability in Zoho ADSelfService Plus, has a partial PoC provided by Synacktiv, both in the form of a technical analysis and a working exploit shared on GitHub. This resource offers detailed guidance on how to achieve remote code execution by manipulating requests to the vulnerable service.

For CVE-2022-42475 and CVE-2023-27997 impacting Fortinet's FortiOS and FortiProxy SSL-VPN systems, public PoCs are readily available on platforms like GitHub (CVE-2023-27997 for example) and have been widely shared on X (formerly Twitter). These PoCs demonstrate how attackers can exploit heap-based buffer overflows to achieve remote code execution, highlighting the criticality of patching affected systems.

Lastly, there is no publicly available PoC for CVE-2024-39717, a newly disclosed file upload vulnerability in Versa Director.

The varying availability of these PoCs stresses the need for organizations to proactively patch and monitor for signs of exploitation.

Solution

Each of the vulnerabilities flagged as targeted by Volt Typhoon have patches and mitigations released by the respective vendors. We recommend reviewing each of the vendors' advisories shown below:

Identifying affected systems

Tenable offers several solutions to help identify potential exposures and attack paths as well as identifying systems vulnerable to the CVEs mentioned in this blog. For a holistic approach, we recommend Tenable One. The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies - including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.

Tenable Plugin Coverage

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2021-40539, CVE-2021-27860, CVE-2022-42475, CVE-2023-27997 and CVE-2024-39717. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Tenable attach path techniques

MITRE ATT&CK ID Description Tenable attack path techniques
T1003.001 OS Credential Dumping: LSASS Memory T1003.001_Windows
T1003.003 OS Credential Dumping: NTDS T1003.003_Windows
T1012 Query Registry T1012_Windows
T1059.001 Command and Scripting Interpreter: PowerShell T1059.001_Windows
T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.003_Windows
T1069.001 Permission Groups Discovery: Local Groups T1069.001_Windows
T1069.002 Permission Groups Discovery: Domain Groups T1069.002_Windows
T1078.002 Valid Accounts: Domain Accounts T1078.002_Windows
T1053 Scheduled Task/Job: Scheduled Task T1053.005_Windows
T1110.003 Brute Force: Password Spraying T1110.003_Windows
T1518 Software Discovery T1518.001_Windows

Tenable Identity Exposure Indicators of Exposure and Indicators of Attack

MITRE ATT&CK ID Description Indicators
T1003 OS Credential Dumping C-ADM-ACC-USAGE
T1003.001 OS Credential Dumping: LSASS Memory C-PROTECTED-USERS-GROUP-UNUSEDI-ProcessInjectionLsass
T1003.003 OS Credential Dumping: NTDS I-NtdsExtraction
T1069.001 Permission Groups Discovery: Local Groups I-ReconAdminsEnum
T1110 Brute Force C-PASSWORD-HASHES-ANALYSISC-PASSWORD-POLICYMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNTMISSING-MFA-FOR-PRIVILEGED-ACCOUNT
T1110.003 Brute Force: Password Spraying I-PasswordSpraying

Tenable Web App Scanning

MITRE ATT&CK ID Description Indicators
T1190 Exploit Public-Facing Application T1190_WAS

Get more information

Join Tenable's Security Response Teamon the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.