The Chinese nation-state actor has been actively conducting espionage and information-gathering attacks on American systems since mid-2021. Credit: Smederevac / Getty Images Microsoft and a few American intelligence agencies have detected malware of Chinese origin deployed in critical infrastructure systems in Guam and elsewhere in the US.The malicious activity, focused on post-compromise credential access and network security discovery, has been linked to Volt Typhoon, a state-sponsored threat actor in China.“Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States,” Microsoft said in a blog post. “In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.” Guam hosts significant military installations of the US, including the Andersen Air Force Base, which plays a crucial role in the event of any potential conflicts in the Asia Pacific region, including a move against Taiwan. Volt Typhoon employs stealthy infectionMicrosoft has identified attacks containing a “Web Shell,” a malicious script enabling remote access to a server, deployed in home routers and other common internet-connected computer devices to make intrusion harder to track.Volt Typhoon issues commands via the command line of an infected system to collect data, including credentials from local and network systems, archiving them to stage exfiltration and use retrieved credentials to maintain persistence. The attacker gains initial entry into targeted organizations by exploiting internet-facing Fortinet FortiGuard devices. Microsoft is currently in the process of examining how Volt Typhoon manages to gain access to these devices.“The threat actor attempts to leverage any privileges afforded by the Fortinet device extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials,” Microsoft added.The attack directs all of its network traffic towards its targets by utilizing compromised small office/home office network edge devices, such as routers. Microsoft has verified that numerous devices, including those produced by Asus, Cisco, D-Link, Netgear, and Zyxel, have the capability for owners to expose HTTP or SSH management interfaces to the internet.In their post-compromise operations, Volt Typhoon rarely employs malware. Instead, they heavily rely on utilizing living-off-the-land commands to search for information within the system, identify other devices connected to the network, and extract data.Credential rotation and MFA are key to protectionAs mitigation steps, Microsoft has recommended closing or changing credentials for all compromised accounts. “Identify local security authority subsystem service (LSASS) dumping and domain controller installation media creation to identify affected accounts,” it added.Examining the activity of compromised accounts for any malicious actions or exposed data has also been advised. To reduce the risk of compromised legitimate accounts, Microsoft is encouraging customers to implement robust multifactor authentication (MFA) policies that utilize hardware security keys or Microsoft Authenticator. Additionally, passwordless sign-in, setting password expiration rules, and deactivating unused accounts can also be effective in mitigating the risks associated with this method of access.Protective process light (PPL) for LSASS, Windows Defender credential guard, and EDR in clock mode are a few licensed solutions Microsoft has recommended for its users to protect against such attacks. Related content news Cisco urges immediate software upgrade after state-sponsored attack Hackers exploited previously undetected vulnerabilities in Cisco’s Adaptive Security Appliances — a product that combines multiple cybersecurity functions. By Prasanth Aby Thomas Apr 25, 2024 3 mins Vulnerabilities brandpost Sponsored by Microsoft Security What will cyber threats look like in 2024? Analyzing incidents in the past will help advise a stronger cybersecurity strategy in the future—2024 and beyond. By Microsoft Security Apr 24, 2024 5 mins Security news analysis How the ToddyCat threat group sets up backup traffic tunnels into victim networks The Chinese APT group is using a variety of tools to infiltrate networks and steal large amounts of data. By Lucian Constantin Apr 24, 2024 6 mins Advanced Persistent Threats Threat and Vulnerability Management Network Security news New OT security service can help secure against critical systems attacks Critical Start’s new offering is designed to handle security teams with specialized detection and response tooling for operational technology systems. By Shweta Sharma Apr 24, 2024 3 mins Security Software PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe