U.S. government agencies issued another warning about the significant threat posed by a Chinese nation-state threat group to critical infrastructures, revealing attackers might have been lurking in victims' IT environments for several years.
Last week during a hearing before the House Select Committee on Strategic Competition Between the United States and the Chinese Community Party, CISA Director Jen Easterly and FBI Director Christopher Wray warned that Chinese nation-state actors had positioned themselves in critical infrastructure organizations for future attacks.
The hearing was held in the wake of the Department of Justice's disruption of a botnet campaign by a Chinese threat group, known as Volt Typhoon, that infected U.S.-based SOHO routers.
In a joint cybersecurity advisory Wednesday, CISA, the FBI and the National Security Agency echoed the warning and confirmed that Volt Typhoon compromised organizations in the communications, energy, transportation systems, and water and wastewater sectors.
The warnings and threat intelligence outlined in the advisory are based on CISA, NSA and FBI incident response investigations that involved Volt Typhoon.
During those investigations, the agencies discovered that Volt Typhoon activity did not align with cyber espionage purposes and determined there is a bigger play at hand that could put operational technology systems of critical infrastructure organizations at risk.
CISA. Volt Typhoon is dangerous due to its extensive reconnaissance capabilities, discoveries and usage of zero-day vulnerabilities, and evasion techniques.
To gain initial access to a victim environment, Volt Typhoon is known to leverage both zero-day and known vulnerabilities in networking appliances.
The agencies urged organizations to secure internet-facing devices, which Volt Typhoon has targeted in the past.
The joint advisory noted the group has gained access to IT networks by exploiting known or zero-day vulnerabilities in routers, VPNs and firewalls.
The agencies warn that Volt Typhoon typically exploited vulnerabilities in network devices from Fortinet, Ivanti Connect Secure, Netgear, Citrix and Cisco as primary Volt Typhoon initial access targets.
In June, Carl Windsor, senior vice president of product technology and solutions at Fortinet, warned users that Volt Typhoon would likely exploit a critical Fortinet SSL VPN vulnerability, tracked as CVE-2023-27997.
Microsoft issued a similar warning the previous month, noting that Volt Typhoon was gaining initial access to critical infrastructure organizations through internet-facing Fortinet FortiGuard devices.
The advisory said Volt Typhoon actors are also adept at leveraging credential access, often with administrative privileges, to move laterally within an environment.
In some instances, the agencies said threat actors used elevated credentials to gain OT access and take control of critical equipment and assets.
The advisory warned that access could lead to the compromise of heating, ventilation and air condition systems in server rooms or disrupt critical energy and water controls.
The agencies confirmed that in some cases, Volt Typhoon also gained access to camera and surveillance system within critical infrastructure facilities.
Volt Typhoon actors exhibit significant patience after using credentials to gain access to legitimate accounts.
The advisory emphasized that Volt Typhoon's objective is to maintain persistence within targeted organizations.
Recommendations included patching internet-exposed systems and to prioritize patching vulnerabilities that Volt Typhoon frequently exploits; implementing phishing-resistant multifactor authentication; and review account permissions on edge appliances and network devices and removed any domain administrator privileges.
This Cyber News was published on www.techtarget.com. Publication date: Thu, 08 Feb 2024 17:13:04 +0000