Microsoft links attacks on American critical infrastructure systems to China

Microsoft and a few American intelligence agencies have detected malware of Chinese origin deployed in critical infrastructure systems in Guam and elsewhere in the US.

The malicious activity, focused on post-compromise credential access and network security discovery, has been linked to Volt Typhoon, a state-sponsored threat actor in China.

“Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States,” Microsoft said in a blog post. “In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.”

Guam hosts significant military installations of the US, including the Andersen Air Force Base, which plays a crucial role in the event of any potential conflicts in the Asia Pacific region, including a move against Taiwan.

Volt Typhoon employs stealthy infection

Microsoft has identified attacks containing a “Web Shell,” a malicious script enabling remote access to a server, deployed in home routers and other common internet-connected computer devices to make intrusion harder to track.

Volt Typhoon issues commands via the command line of an infected system to collect data, including credentials from local and network systems, archiving them to stage exfiltration and use retrieved credentials to maintain persistence.

The attacker gains initial entry into targeted organizations by exploiting internet-facing Fortinet FortiGuard devices. Microsoft is currently in the process of examining how Volt Typhoon manages to gain access to these devices.

“The threat actor attempts to leverage any privileges afforded by the Fortinet device extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials,” Microsoft added.

The attack directs all of its network traffic towards its targets by utilizing compromised small office/home office network edge devices, such as routers. Microsoft has verified that numerous devices, including those produced by Asus, Cisco, D-Link, Netgear, and Zyxel, have the capability for owners to expose HTTP or SSH management interfaces to the internet.

In their post-compromise operations, Volt Typhoon rarely employs malware. Instead, they heavily rely on utilizing living-off-the-land commands to search for information within the system, identify other devices connected to the network, and extract data.

Credential rotation and MFA are key to protection

As mitigation steps, Microsoft has recommended closing or changing credentials for all compromised accounts. “Identify local security authority subsystem service (LSASS) dumping and domain controller installation media creation to identify affected accounts,” it added.

Examining the activity of compromised accounts for any malicious actions or exposed data has also been advised.

To reduce the risk of compromised legitimate accounts, Microsoft is encouraging customers to implement robust multifactor authentication (MFA) policies that utilize hardware security keys or Microsoft Authenticator. Additionally, passwordless sign-in, setting password expiration rules, and deactivating unused accounts can also be effective in mitigating the risks associated with this method of access.

Protective process light (PPL) for LSASS, Windows Defender credential guard, and EDR in clock mode are a few licensed solutions Microsoft has recommended for its users to protect against such attacks.