Earlier Intrusions from Volt Typhoon

Coverage of the Chinese espionage group, Volt Typhoon (aka. BRONZE SILHOUETTE) has expanded with insights from Secureworks Counter Threat Unit (CTU). Intrusions by Volt were observed during IR engagements in June 2021, September 2021, and June 2022. An understanding of the threat group's tactics, techniques, and procedures (TTPs) is vital for defense, particularly due to their targeting critical infrastructure organizations. These attacks aim to gather sensitive data and potentially disrupt the services provided by those organizations. As aligned with initial reports from Microsoft and US agencies, notable TTPs employed by Volt Typhoon include the prominent use of living-off-the-land binaries to evade security defenses. "CTU analysis of the direct observations from BRONZE SILHOUETTE intrusions reveals a threat group that favors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives. For example, the June 2021 IR engagement determined that the threat actors were inside the compromised network for only 90 minutes before obtaining the ntds.dit AD database," said SecureWorks.

SecureWorks found Volt's earliest intrusion in June 2021, beginning  through initial access in a Citrix environment with compromised credentials not reinforced with multi-factor authentication (MFA). With a foothold on the network, the attackers dropped a Java-based web shell - (AuditReport.jspx). Reconnaissance commands were then launched from CMD querying users and groups within the environment. Certutil was used to decode another ASPX web shell - (iisstart.aspx). Aligned with Microsoft's report the threat actors created "a copy of the ntds.dit AD database" and stored the database within a password-protected zip archive.

In another Secureworks IR engagement taking place in September 2021, the activity was slightly briefer. This time the attackers exploited a public-facing application to obtain initial access. It’s surmised by Secureworks to have likely been the exploitation of CVE-2021-40539 against a ManageEngine ADSelfService Plus server. As with the prior campaign, Volt Typhoon utilized a web shell to run native Windows reconnaissance commands. In this attempt to copy AD objects, a renamed executable of the Windows, csvde.exe command-line tool was used. Once exported, the makecab command was run to compress the data. The final intrusion reported from Secureworks on June 2022 took place following the exploit of a public-facing application leading to a web shell being dropped.

The attackers acquired credentials by leveraging WMI to create a volume shadow copy and from the shadow copy extract both the ntds.dit AD database and the SYSTEM registry hive. Data of interest were archived with 7-zip. Secureworks noted the attackers returned several days later and pivoted to a ManageEngine ADSelfService Plus server which they were observed to run discovery commands.

Volt Typhoon needs to be monitored closely within organizations especially given their "minimal intrusion footprint" and "incorporation of defense evasion techniques." Volt Typhoon is assessed as operating in the interest of the People's Republic of China (PRC) aiding in intelligence collection to further economic goals.