Volt Typhoon and Recent CW SIEM Updates
Something not mentioned in the article is that this activity appears to mirror activity reported back in Nov 2021 by the FBI and CISA based on the TTPs we are observing, so it is possible this is the same actor who has been operating since Nov 2021.
Volt Typhoon has been observed using compromised Small-Office Home-Office (SOHO) devices (e.g. routers) to obfuscate the source of the activity [T1090.002].
- Most common types include ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices.
- Common CVEs for these devices and mitigation guidance can be found in the joint Cybersecurity Advisory, "Top CVEs Actively Exploited by People's Republic of China State-Sponsored Cyber Actors."
Volt Typhoon has also been observed exploiting vulnerabilities [T1190] in widely used software including, but not limited to:
- CVE-2021-40539—ManageEngine ADSelfService Plus. https://www.cisa.gov/uscert/ncas/alerts/aa21-259a.
- CVE-2021-27860—FatPipe WARP, IPVPN, MPVPN. https://www.ic3.gov/Media/News/2021/211117-2.pdf
Considering this, the CRU has made updates to the CW SIEM CRU ruleset. We have updated the CRU rule for the NTDSUtil rule as well as the Netsh Port Forwarding rule to include TTPs matching this threat actor. Below is a compiled list of signatures that should match activity that is related to the post-compromise activity observed in the report for Volt Typhoon. If you see these signatures firing together, this may be an indicator for this TA.
CW SIEM Detections
CW SIEM Event Notifications in the CRU Collection related to observed TTPs by this threat actor:
[CRU][Windows] Common Windows Password Dumping Tool In Use
[CRU][Windows] Impacket Tools Observed
[CRU][Windows] PortProxy Registry Key
[CRU][Windows] Potential Wmiexec Command Execution
[CRU][Windows] Command Line Registry Dump
[CRU][Windows] Powershell Executed with Truncated Parameters
[CRU][Windows] WMI Remote Process Creation
[CRU][Windows] Password Dumping via comsvcs.dll MiniDump
Updated CW SIEM Event Notification:
[CRU][Windows] Netsh Port Forwarding
[CRU][Windows] Dump Active Directory Database with NTDSUtil
CW SIEM IDS signatures related to the CVEs this threat actor has been observed using:
CVE-2021-40539
ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539)
ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539)
ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539)
ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539)
CVE-2021-27860
ET EXPLOIT Possible FatPipe Unrestricted File Upload
ET EXPLOIT FatPipe Unrestricted File Upload
Additional References
https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF