08/16/2023 | News release | Distributed by Public on 08/16/2023 14:00
Volt Typhoon - an alleged state-sponsored threat actor based in China that specializes in espionage and information gathering - is undertaking actions that threat researchers believe may someday be used to disrupt critical infrastructure in the United States and Asia.
Profiled in the latest BlackBerry Global Threat Intelligence Report, the group is known to achieve initial access through remote and hybrid employee devices to reach targeted organizations. Volt Typhoon exploits internet-connected small office and home office devices (SOHO) that often expose HTTP or SSH (Secure Shell) management interfaces to the internet.
The threat actor attempts to abuse any privileges afforded by a device, extracts credentials to a Microsoft® Active Directory® account used by a compromised device, and then attempts to authenticate to other devices on the network with those same credentials.
Volt Typhoon then attempts to establish persistent command-and-control by dumping the local security authority subsystem service (LSASS). This Microsoft Windows® OS (operating system) process is responsible for enforcing the Microsoft security policies on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows security log. Dumping this process allows for credential exfiltration.
Once Volt Typhoon gains access to a target environment, the threat actor begins conducting hands-on-keyboard activity via the command line interface. It is important to note that Volt Typhoon rarely uses malware to achieve its nefarious objectives. Instead, the actor relies on living-off-the-land commands to find sensitive information on the system, discover additional devices on the network, and exfiltrate data.
Microsoft acknowledges that attacks frequently target the LSASS (local security authority subsystem service) process memory because it can store both a current user's OS credentials and also a domain administrator's. Dumping LSASS credentials is important for attackers because if they successfully dump domain passwords, they can, for example, begin using legitimate tools such as PsExec or Windows Management Instrumentation (WMI) to move laterally across the network and exfiltrate additional data. They can also use techniques like pass-the-hash for lateral movement if they manage to obtain the password hashes.
This attack targeting operating system processes highlights the importance of decoupling operating systems and security tools to encourage a strong and diversified security posture.
BlackBerry has tested all known versions of Volt Typhoon's custom proxy tool and confirmed they are convicted by BlackBerry's Cylance AI. To provide defense in-depth, BlackBerry recommends the following actions be taken using its CylancePROTECT solution:
In addition, BlackBerry recommends activating the following CylanceOPTICS rules:
BlackBerry's patented elliptic curve cryptography technology, found in BlackBerry®Unified Endpoint Manager, keeps work data safe from exfiltration, on desktop and mobile devices, via the BlackBerry Dynamics® container. BlackBerry UEM has a record number of security certifications and is trusted by the world's most security-conscious organizations, including 17 of the G20 governments, many of the largest banks, and more.
BlackBerry provides enhanced integrations between UEM and Microsoft 365, so enterprises can benefit from BlackBerry's mature security solutions while using Microsoft's productivity products. BlackBerry's enablement of Microsoft 365 amplifies productivity potential and empowers enterprises with the standard for secure productivity.
If you are looking for protection against cyberattacks that lets you sleep well at night, please contact BlackBerry. The team works with organizations of every size and across any vertical, to evaluate and enhance your endpoint security posture and proactively maintain the security, integrity, and resilience of your network infrastructure.
For emergency assistance, please email us at [email protected], or use the hand-raiser form.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.
Related Reading
Noah Campbell is the Senior Elite Technical Marketing Specialist at BlackBerry.