Response to CISA Advisory (AA23-144A): China State-Sponsored Actor Volt Typhoon Living off the Land to Evade Detection

AttackIQ has released two new assessments that emulate the techniques associated with a People’s Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon. Volt Typhoon makes extensive use of living off the land tools to remaining undetected for as long as possible while complete their espionage goals. Read More

On May 24, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) along with international cybersecurity authorities published a joint Cybersecurity Advisory (CSA) to detail Volt Typhoon, a cluster of activity associated with the People’s Republic of China (PRC).

Volt Typhoon is a state-sponsored, politically motivated, Chinese adversary that has been active since at least 2021. Its primary focus is espionage and information gathering, specifically targeting critical infrastructure organizations in Guam and in the United States.

One of Volt Typhoon’s most notable characteristic is the use of Living-off-the-Land (LotL) techniques, where they leverage built-in network administration tools to achieve their objectives. This approach allows them to blend in with normal Windows systems and network activities while evading detection by endpoint detection and response (EDR) products.

Private sector partners identified attacks in networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

AttackIQ has released two new assessment templates emulating the behavior associated with Volt Typhoon to help customers validate their security controls and their ability to defend against this threat. Validating the performance of your security program against these behaviors is vital to reducing risk. By using these new assessments in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate the performance of security controls against a stealthy Chinese threat.
  • Assess security posture against a highly sophisticated adversary who almost exclusively leverages native Windows utilities to achieve their objectives.
  • Continually validate detection and prevention effectiveness against an actor who could apply the same techniques against other sectors and regions worldwide.

[CISA AA23-144A] Volt Typhoon Living off the Land Techniques for Windows Servers

The first assessment template emulates the Living-off-the-Land (LotL) techniques used by the threat actor inside of a Windows server environment. A combination of PowerShell, Windows Management Instrumentation Commands (WMIC), and native Windows utilities are executed to perform the exact same actions conducted by Volt Typhoon in their attacks.

The scenarios curated in this assessment are relevant to the majority of Windows server configurations. The commands and tools utilized in this assessment should be found on most common Windows server installations no matter their primary role. These tools are not commonly found on endpoint devices so the intended target are server environments.

The assessment templates are divided by Tactics, and these group the techniques and implementations used by the adversary at each stage of their attacks.

1. Execution:  Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.

System Binary Proxy Execution (T1218): pcwrun.exe is the native Windows Program Compatibility Wizard utility that can be abused by threat actors to download and execute payloads.

2. Defense Evasion: Techniques adversaries use to avoid detection throughout their compromise. 

Impair Defenses: Disable or Modify System Firewall (T1562.004): This scenario will create a new rule into the Windows System Firewall to proxy port connections from 0.0.0.0:9999/tcp to 127.0.0.1:8443/tcp in the targeted asset using the netsh interface command.

3. Credential Access: Consists of techniques for stealing credentials like account names and passwords.

OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a minidump of the lsass process. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.

OS Credential Dumping: Security Account Manager (T1003.002): The built-in reg save command is executed to dump the Windows SAM hive.

OS Credential Dumping (T1003): The built-in reg save command is executed to dump the Windows SYSTEM hive. Also, Volt Typhoon has been observed using mimikatz to dump passwords and hashes for Windows accounts.

4. Discovery: The adversary may use these techniques to gain knowledge about the initially infected system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act.

System Owner / User Discovery (T1033): Live off the land by running whoami and users to gain details about the currently available accounts and permission groups.

System Information Discovery (T1082): The native systeminfo command is executed to retrieve all of the Windows system information.

Process Discovery (T1057): Window’s built-in tasklist command is executed as a command process and the results are saved to a file in a temporary location. WMI commands are also issued to discover running processes and services.

Account Discovery (T1087): Use Living-off-the-Land commands like net user to obtain a list of additional accounts known to the infected host.

Account Discovery (T1087): The native Windows command wevtutil and the PowerShell cmdlet Get-EventLog are used to search the Windows Security Event Logs for successful login attempts to the infected host identifying additional accounts that could be targeted for lateral movement.

Account Discovery – Local Account (T1087.001): The command net localgroup is executed to identify any local administrator accounts.

Account Discovery: Domain Account (T1087.002): The system command net group is used to list Domain and Enterprise Admins accounts.

File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output them to a temporary file.

System Network Configuration Discovery (T1016): Native Window’s commands like route, ipconfig, and net use are executed to collect details about the infected host and network shares.

System Network Connections Discovery (T1049): The native Windows command line tool netstat is used to collect active connections and any listening services running on the host.

Software Discovery (T1518): The PowerShell command wmic product get is executed to discover installed applications.

Security Software Discovery (T1518.001): This scenario executes the netsh firewall show all and netsh interface show commands to list firewall configuration and network interfaces.

Query Registry (T1012): This scenario executes a script that queries all remote access tool related registry keys that Volt Typhoon queried.

Windows Management Instrumentation (WMI) (T1047): Multiple WMI commands are executed to retrieve information such as system’s volumes and motherboard data.

Internet Connection Discovery (T1016.001): This scenario uses ping and curl commands to query external domains and IPs to determine if they will be able to potentially gain outbound unrestricted access to the internet.

5. Lateral Movement: Consists of the techniques adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it.

Brute Force (T1110): This scenario attempts to brute login using RDP to remote systems with a username and password dictionary.

Windows Management Instrumentation (WMI) (T1047): WMI commands are executed to move laterally to any available asset inside the network.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to remote access another Windows system using the native Remote Desktop Protocol (RDP) connection.

6. Exfiltration: Consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it.

Exfiltration Over C2 Channel (T1041): Files are compressed using the native makecab utility and are sent to an AttackIQ controlled server using HTTP POST requests.

[CISA AA23-144A] Volt Typhoon Living off the Land Techniques for Windows Domain Controllers

The second assessment template is limited to test the specific techniques observed by the actor that would occur on a Domain Controller. This includes multiple scenarios that dump the Active Directory database using multiple native utilities as well as the DNS Zone enumeration for controllers that also act as DNS servers.

1. Discovery: The adversary may use these techniques to gain knowledge about the initially infected system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act.

Gather Victim Network Information: DNS (T1590.002): This scenario enumerates the DNS zones configured and managed by a Windows DNS server by using the native dnscmd utility with the /enumzones flag.

Account Discovery: Domain Account (T1087.002): The native LDIF Directory Exchange ldifde utility is used to export domain groups and users from the running Domain Controller and returns a list of all relevant groups and user accounts that would be of interest.

2. Credential Access: Consists of techniques for stealing credentials like account names and passwords..

OS Credential Dumping: NTDS (T1003.003): Three scenarios are used to dump the Active Directory Database via the NTDS.dit file. The dumping can be performed via:

  • Creation of a Volume Shadow Copy using vssadmin.exe.
  • Creation of a Volume Shadow Copy using PowerShell cmdlet and WMI.
  • Utilization of the ntdsutil.exe utility.

Detection and Mitigation Opportunities

With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Detection and Hunting Recommendations

CISA has provided a significant number of detection signatures and hunting queries that could be used to identify Volt Typhoon compromises. The mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) and provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement.

AttackIQ highly recommends reviewing their signatures and adapting to your environment first to see if you have any existing impact before reviewing the results from the assessment templates.

2. Review AttackIQ’s Blog About Monitoring and Testing for Living off the Land Binaries

AttackIQ recently published a blog about their research into abuse of Living off the Land binaries. The report highlights additional tools and commands used by threat actors beyond the scope of what Volt Typhoon has utilized. Each native tool has a breakdown of how it can be abused along with Sigma rules to help organizations detect these behaviors.

Wrap-up

In summary, these assessments will evaluate security and incident response processes and support the improvement of your security control posture against a highly sophisticated and stealthy adversary. With data generated from continuous testing and use of these assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.