Volt Typhoon in the Wild

Volt Typhoon in the Wild

ThreatLocker ThreatLocker

ThreatLocker

Leading the industry towards a more secure approach of blocking unknown application vulnerabilities.

发布日期: 2024年3月26日
+ 关注

About Volt Typhoon

Volt Typhoon is a state-sponsored cyber actor associated with the People’s Republic of China. Traditionally, their activities have been limited to initial intrusion, information gathering, and data exfiltration. ThreatLocker has observed increased activity, which we believe is related to this threat actor.

We have observed them attempting to gather telemetry about the compromised network to include detailed information about which processes are currently running and which DLL’s are loaded by those processes. For additional information related to what other organizations have observed, see this CISA Cybersecurity Advisory.

Indicators of Comprise (IoC) Timeline

1.Tasklist.exe is executed. ?

This is used to gather information about all processes running on the compromised machine. In addition, it is used to list all the DLL’s loaded by each process. This information can be used to construct a future DLL Hijacking attack. Microsoft Documentation for this executable can be found here.

2.Mpcmdrun.exe is executed. ?

This is a dedicated command line tool used to manage Windows Defender. It can be used to check if you are vulnerable to CVE-2023-24934, an exploit which allows hackers to bypass Windows Defender. You can see a demonstration of this exploit on our Windows Defender Bypass blog.

3.Wmic.exe attempts to execute

Wmic.exe attempts to execute but is blocked by ThreatLocker. This is the WMI command-line utility. It has been deprecated as of Windows 10, version 21H1. Any attempted execution of this command should be viewed as suspicious.

4. Next steps

If Wmic.exe is not blocked by a default-deny policy like ThreatLocker provides, the attack will continue with data exfiltration including network scans and processes. This provides the attacker the recon needed to identify further opportunities for exploitation.

Recommendations for Everyone

  1. If you suspect a compromise, immediately reset credentials for any accounts with access to your Domain Controller.
  2. Turn on Windows command line process auditing. This will allow you to search the windows event log for indicators of compromise.

领英推荐



3. Follow any other remediation steps you can in the “Mitigations” section of this cybersecurity advisory.

Recommendations for ThreatLocker Customers

  1. Make sure PowerShell is Ringfenced ? from the internet.
  2. Make sure ThreatLocker Network Control is turned on and has a Default Deny Policy.
  3. Search your Unified audit for wmic.exe being denied. If you find this, contact ThreatLocker support for further investigation through network logs.

References:

Joint Cybersecurity Advisory ?

Subscribe to Get Newsletters and Blog Updates

Author:

Craig Stevenson

Contributor:

Ivan Fonseca

Paul Noga, CISSP, CISM, CEH

Information Security Expert | Team Leader | Strategic Development

11 个月

Great read. I have created a notification in our SIEM to alert anytime wmic us used. Going to use ThreatLocker for further prevention and mitigation.
回复
Korina Alcantara

Cybersecurity | Analytical | Cyber Risk Management

11 个月

Very interesting read! I reviewed the reference posted but can't seem to find how " Mpcmdrun.exe" is linked to Volt Typhoon activities. Can the author provide a bit more context to this please?

回复
查看更多评论

要查看或添加评论,请登录

ThreatLocker的更多文章

社区洞察

其他会员也浏览了