A Sophisticated But Thwarted Intrusion from Volt Typhoon

Category: Threat Actor Activity | Industries: Critical infrastructure, Defense, Government | Source: CrowdStrike

Threat activity from Chinese threat group Volt Typhoon, also tracked as Bronze Silhouette or Vanguard Panda, was recently discovered and prevented by CrowdStrike. In the reported incident, Volt Typhoon "employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement," said CrowdStrike. The threat actors' activities were consistent with the initial reports from CISA and Microsoft on May 24th, 2023, where operators stressed the importance of operating covertly. They heavily relied on using living-off-the-land binaries (LOLBins), deploying them in "short bursts" and removing traces of their activity in logs.

The compromised ManageEngine ADSelfService Plus application ran on an Apache Tomcat web server. It is surmised that the threat actors exploited an RCE vulnerability in ManageEngine, CVE-2021-40539; however, log activity to support the exploitation was absent. The threat actors likely removed traces of their activity in the necessary access logs. Although not all of Volt Typhoon's activity was covered up by the threat actors as the presence of Java and Class files were found, leading to the discovery of "numerous web shells and backdoors all connected to this same attack."

Further investigation into the web shells used in the attack revealed that the web shell had been deployed almost six months prior to the hands-on-keyboard activity. This extended dwell time indicates that Volt Typhoon had dedicated significant effort to conducting thorough reconnaissance on the targeted network. Their familiarity with the environment facilitated the "rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI."