Stealthy new botnet targets VPN devices and routers while staying disguised
The US government, along with several other countries, issued a decision joint cybersecurity advisory notice warning of malicious work being carried out by a state-sponsored Chinese cyber actor known as Volt Typhoon.
The Chinese group has been observed targeting US critical infrastructure sectors, and other countries are believed to be at risk.
In fact, the attack discovered by Microsoft earlier this year attracted the attention not only of the United States NSA, CISA and FBI, but also of officials in Australia, Canada, New Zealand and the United Kingdom.
Chinese group covertly targets routers
According to Microsoft, the group, which has only been active since 2021, has previously focused on critical infrastructure on the Micronesian island of Guam in the western Pacific, an unincorporated territory of the US, as well as other US regions.
This particular campaign does not appear to be particularly targeted, with sectors such as communications, manufacturing, utilities, transport, construction, maritime, government, information technology and education all under threat.
Volt Typhoon uses built-in network management tools, also known as living off the land, to bypass endpoint detection by blending in with normal Windows system and network operations.
Microsoft summarized the steps: βThey issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) place the data into an archive file to prepare it for exfiltration, and then (3 ) they use the stolen valid credentials to maintain the persistence.β
It was also noted that the threat actor interfered with normal network activity by routing its traffic through compromised small and home office (SOHO) networking equipment such as routers, firewalls, and VPN devices.
The security notice suggests that organizations harden domain controllers and monitor event logs, look for abnormal account activity, and investigate unusual IP addresses. Full details of the attack and measures can be found on the website US Department of Defense website.