Chinese state-backed advanced persistent threat (APT) group, Volt Typhoon, also known as Vanguard Panda, has been using a critical vulnerability in Zoho’s ManageEngine ADSelfService Plus. The group has recently developed previously unknown stealth mechanisms, according to reports.
Volt Typhoon gained attention last month when Microsoft and various government agencies published joint reports. These reports revealed the group’s infiltration of critical infrastructure in the Pacific region, potentially to establish a foothold in the event of a conflict with Taiwan.
The reports detailed Volt Typhoon’s tactics, techniques, and procedures (TTPs), including its use of internet-exposed Fortinet FortiGuard devices for initial intrusion, and its ability to conceal network activity through compromised routers, firewalls, and VPN hardware.
CrowdStrike, a cybersecurity firm, recently outlined a campaign conducted by Volt Typhoon in a blog post. The campaign demonstrated the group’s adaptability and customization capabilities. Volt Typhoon utilized a vulnerability, known as CVE-2021-40539, in ManageEngine to gain access to a victim’s environment. The group then disguised its web shell as a legitimate process and removed any traces of its activities.
Tom Etheridge, Chief Global Professional Services Officer for CrowdStrike, stated that Volt Typhoon had pervasive access to the victim’s environment for an extended period due to its familiarity with the infrastructure. The group was diligent in covering its tracks and erasing any evidence of its presence.
CrowdStrike researchers discovered Volt Typhoon’s presence during an investigation into suspicious activity in a client’s network. The attacker had been gathering information and testing network connectivity for six months before being detected. The initial access was gained through the vulnerability in ADSelfService Plus, which has been repeatedly exposed to critical vulnerabilities in recent years.
Once inside the network, Volt Typhoon deployed a web shell and attempted to conceal its activities by masquerading as a legitimate file of ManageEngine ADSelfService Plus. The group then collected administrator credentials and moved laterally within the network. To cover its tracks, Volt Typhoon went to extensive lengths to remove any traces of its presence, although it overlooked erasing Java source code and compiled Class files from the targeted Apache Tomcat Web server.
Etheridge emphasized the importance of defending against Volt Typhoon and similar cyberattacks. He suggested that organizations prioritize identity management, as stolen credentials are frequently exploited by threat actors. Additionally, he highlighted the significance of threat hunting and incident response to quickly identify and mitigate any potential breaches.
Volt Typhoon has primarily targeted organizations in various sectors, including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. Notably, the group has focused on critical infrastructure in the United States and Guam, which are key defense points for Taiwan against China.
While it is challenging to completely stop nation-state threat actors, Etheridge believes that implementing robust identity management and proactive threat hunting can significantly improve an organization’s ability to respond to and mitigate the consequences of such cyberattacks.