A state-backed hacking group known as “Volt Typhoon” or “Vanguard Panda” has recently been discovered using a critical vulnerability in Zoho’s ManageEngine ADSelfService Plus, a popular single sign-on and password management solution. This group, which was first brought to attention in joint reports from Microsoft and various government agencies, has been targeting critical infrastructure in the Pacific region, with a particular focus on potentially using it as a base of operations in the event of a conflict with Taiwan.
According to reports, Volt Typhoon has been employing sophisticated tactics, techniques, and procedures (TTPs) to infiltrate targeted networks. They have been using internet-exposed Fortinet FortiGuard devices for initial intrusion and concealing their network activity by compromising routers, firewalls, and VPN hardware. However, a recent campaign outlined by cybersecurity firm CrowdStrike reveals that Volt Typhoon is highly adaptable and can customize its tactics based on extensive reconnaissance.
The campaign discussed by CrowdStrike revolves around the use of a critical vulnerability known as CVE-2021-40539 in ManageEngine ADSelfService Plus for initial intrusion. The group then proceeds to mask its web shell as a legitimate process and erases logs to cover its tracks as it moves through the victim’s environment. This previously undisclosed tactic allowed Volt Typhoon to maintain pervasive access to the victim’s network for an extended period without being detected.
CrowdStrike researchers became suspicious when they detected unusual activity within the network of an unidentified client. The attacker, later identified as Volt Typhoon, was performing extensive information-gathering, indicating a high level of familiarity with the target environment. Despite deploying a web shell six months prior, Volt Typhoon managed to evade detection, primarily due to the exploitation of the CVE-2021-40539 vulnerability.
Once inside the network, Volt Typhoon stole administrator credentials and moved laterally to expand its control. To cover its tracks, the group took extensive measures to eliminate evidence of malicious activity, including clearing out log files and removing excess files from disk. However, they made a slight mistake by forgetting to erase the Java source code and compiled Class files from their targeted Apache Tomcat Web server, which ultimately led to their discovery.
As for defense against Volt Typhoon cyberattacks, CrowdStrike’s Tom Etheridge recommends focusing on identity management and threat hunting. Identity is a significant challenge for organizations, as stolen credentials are commonly used in cyber incidents. Implementing robust identity management practices can help mitigate the risk of unauthorized access. Additionally, organizations should prioritize threat hunting and incident response capabilities to quickly detect and respond to potential breaches.
Volt Typhoon has primarily targeted organizations in sectors such as communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. However, their notable focus has been on critical infrastructure in the United States and Guam, which plays a crucial role in defending Taiwan against potential Chinese aggression.
While it may be challenging to entirely prevent attacks from nation-state threat actors like Volt Typhoon, organizations can take proactive steps to enhance their security posture. By implementing strong identity management practices and investing in threat hunting and incident response capabilities, they can significantly reduce the impact and mitigate the consequences of a potential breach.