The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has released a new cybersecurity advisory related to threats from the Peoples Republic of China (PRC) against U.S. critical infrastructure. This is the newest and latest of several updates, beginning in May 2023, focused on PRC state-sponsored malicious activity with a focus on the specific PRC cyber group known as Volt Typhoon. According to U.S. CISA, Volt Typhoon resources have pre-positioned themselves on IT networks and related resources using Live Off the Land (LOTL) techniques and are prepared to trigger destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.
This advisory provides a list of actions that can be taken to help mitigate Volt Typhoon activity including:
1) Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon. – Maintaining patching for all internet-facing systems is always a sound practice. The reference to “appliances known to be frequently exploited by Volt Typhoon” is particularly interesting. In December 2023, the FBI and Department of Justice interrupted and stopped an attack plan by Volt Typhoon that used end-of-life and unpatched home routers as botnet hosts.
2) Implement phishing-resistant MFA – Phishing-resistant MFA refers to moving away from SMS text and email-based MFA and toward MFA techniques based on tokens and one-time-passcodes.
3) Ensure logging is turned on for application, access, and security logs and store logs in a central system – Logging and proper log storage is quite important when dealing with attackers leveraging live off the land techniques to remain hidden and undetected. Pattern analysis, monitoring for lateral movement, and network baseline verification are all mechanisms critical to detecting these types of threat actors.
The concept of defending against LOTL techniques can be particularly challenging to many organizations simply because older, more traditional security best practices do not support effective detection of these subtle techniques. LOTL at its heart involves the manipulation and/or abuse of native, trusted tools and processes on systems so that the attacker can hide in plain sight, blending in with normal system activities and operations. LOTL techniques can be applied to multiple applications and platforms, various operating systems, and resources on-premises or in the cloud.
There are certain modern security best practices technologies and processes that can help detect and defend against these LOTL techniques. Every organization should consider these options to provide a strong, effective defense:
· Advanced Malware Protection Solutions with behavioral analysis technologies – Given threats like LOTL and zero-day exploits, it is important for organizations to move beyond virus and malware protection that is signature-based or running simple heuristics. Advanced malware protection agents, often referred to as EDR/MDR/XDR solutions, can identify and react to threats independent of virus definitions and other static data. These advanced agents analyze user, application, operating system, and network behavior to identify and neutralize threats. Many also incorporate AI machine learning to provide faster, more efficient detection and remediation.
· SIEM (Security Information and Event Management) Alerting – Log collection, correlation, and alerting is a fundamental control against LOTL techniques and other subtle attack mechanisms. By collecting log information from multiple sources across the IT environment – firewalls, routers, switches, servers, wireless devices, etc. – and correlating that data with pattern analysis, threats can be identified that would otherwise go undetected by reviewing each log source independently. Proper logging also provides a strong forensic tool in the event of attack or compromise.
· Zero Trust Security – Managing trust at every layer of the IT infrastructure has become a necessity in the reliable security of every organization. At its core, zero trust is a security framework requiring all users, whether internal or external to the organization’s network, to be authenticated, authorized, and continuously validated for proper security settings and requirements before being granted or keeping access to applications and data. This type of framework ensures that a single point of compromise does not sacrifice access to the entire IT infrastructure. It also allows for more granular and flexible access controls across IT resources.
· Patching and End-of-Life (EOL) Devices – One of Volt Typhoon’s primary targets when infiltrating networks is an unpatched, EOL device. These older routers, switches, and IoT (Internet of Things) devices make a perfect host for botnets and other malicious code because the device manufacturer has typically ended support and is no longer releasing updates and security patches. Compromise for the attacker is simple and the device owner has often forgotten the device is even active on the network. Organizations must diligently maintain inventories of all active devices on the network, manage hardware lifecycles to ensure older devices are upgraded or replaced, and consistently patch and update all production devices on a regular and frequent schedule.
The threat presented by the PRC and other nation state actors is not going away. It will only continue to get worse. Organizations must be prepared and take precautions against these potential attackers. Stay vigilant!