Microsoft and a few American intelligence agencies have detected malware of Chinese origin deployed in critical infrastructure systems in Guam and elsewhere in the US.The malicious activity, focused on post-compromise credential access and network security discovery, has been linked to Volt Typhoon, a state-sponsored threat actor in China.\u201cVolt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States,\u201d Microsoft said in a blog post. \u201cIn this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.\u201dGuam hosts significant military installations of the US, including the Andersen Air Force Base, which plays a crucial role in the event of any potential conflicts in the Asia Pacific region, including a move against Taiwan.Volt Typhoon employs stealthy infectionMicrosoft has identified attacks containing a \u201cWeb Shell,\u201d a malicious script enabling remote access to a server, deployed in home routers and other common internet-connected computer devices to make intrusion harder to track.Volt Typhoon issues commands via the command line of an infected system to collect data, including credentials from local and network systems, archiving them to stage exfiltration and use retrieved credentials to maintain persistence.The attacker gains initial entry into targeted organizations by exploiting internet-facing Fortinet FortiGuard devices. Microsoft is currently in the process of examining how Volt Typhoon manages to gain access to these devices.\u201cThe threat actor attempts to leverage any privileges afforded by the Fortinet device extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials,\u201d Microsoft added.The attack directs all of its network traffic towards its targets by utilizing compromised small office\/home office network edge devices, such as routers. Microsoft has verified that numerous devices, including those produced by Asus, Cisco, D-Link, Netgear, and Zyxel, have the capability for owners to expose HTTP or SSH management interfaces to the internet.In their post-compromise operations, Volt Typhoon rarely employs malware. Instead, they heavily rely on utilizing living-off-the-land commands to search for information within the system, identify other devices connected to the network, and extract data.Credential rotation and MFA are key to protectionAs mitigation steps, Microsoft has recommended\u00a0closing or changing credentials for all compromised accounts. \u201cIdentify local security authority subsystem service (LSASS) dumping and domain controller installation media creation to identify affected accounts,\u201d it added.Examining the activity of compromised accounts for any malicious actions or exposed data has also been advised.To reduce the risk of compromised legitimate accounts, Microsoft is encouraging customers to implement robust multifactor authentication (MFA) policies that utilize hardware security keys or Microsoft Authenticator. Additionally, passwordless sign-in, setting password expiration rules, and deactivating unused accounts can also be effective in mitigating the risks associated with this method of access.Protective process light (PPL) for LSASS, Windows Defender credential guard, and EDR in clock mode are a few licensed solutions Microsoft has recommended for its users to protect against such attacks.