Volt Typhoon and Recent CW SIEM Updates

| By:
Bryson Medlock
Earlier this week Microsoft released a report detailing the events of a Chinese APT group dubbed Volt Typhoon gaining access to victims through Fortinet FortiGuard devices. The report by Microsoft includes several Tactics, Techniques, and Procedures (TTPs) and indicators of compromise (IOCs) related to this activity. The CRU has been threat-hunting on these observables for any additional details we can find. 

Something not mentioned in the article is that this activity appears to mirror activity reported back in Nov 2021 by the FBI and CISA based on the TTPs we are observing, so it is possible this is the same actor who has been operating since Nov 2021. 

Volt Typhoon has been observed using compromised Small-Office Home-Office (SOHO) devices (e.g. routers) to obfuscate the source of the activity [T1090.002].

- Most common types include ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices.

- Common CVEs for these devices and mitigation guidance can be found in the joint Cybersecurity Advisory, "Top CVEs Actively Exploited by People's Republic of China State-Sponsored Cyber Actors."

Volt Typhoon has also been observed exploiting vulnerabilities [T1190] in widely used software including, but not limited to:

- CVE-2021-40539—ManageEngine ADSelfService Plus.  https://www.cisa.gov/uscert/ncas/alerts/aa21-259a.

- CVE-2021-27860—FatPipe WARP, IPVPN, MPVPN. https://www.ic3.gov/Media/News/2021/211117-2.pdf

Considering this, the CRU has made updates to the CW SIEM CRU ruleset.  We have updated the CRU rule for the NTDSUtil rule as well as the Netsh Port Forwarding rule to include TTPs matching this threat actor.  Below is a compiled list of signatures that should match activity that is related to the post-compromise activity observed in the report for Volt Typhoon. If you see these signatures firing together, this may be an indicator for this TA.

CW SIEM Detections

CW SIEM Event Notifications in the CRU Collection related to observed TTPs by this threat actor:

[CRU][Windows] Common Windows Password Dumping Tool In Use
[CRU][Windows] Impacket Tools Observed
[CRU][Windows] PortProxy Registry Key
[CRU][Windows] Potential Wmiexec Command Execution
[CRU][Windows] Command Line Registry Dump
[CRU][Windows] Powershell Executed with Truncated Parameters
[CRU][Windows] WMI Remote Process Creation
[CRU][Windows] Password Dumping via comsvcs.dll MiniDump

Updated CW SIEM Event Notification:
[CRU][Windows] Netsh Port Forwarding
[CRU][Windows] Dump Active Directory Database with NTDSUtil

CW SIEM IDS signatures related to the CVEs this threat actor has been observed using:
ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539)
ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539)
ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539)
ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539) 
ET EXPLOIT Possible FatPipe Unrestricted File Upload
ET EXPLOIT FatPipe Unrestricted File Upload

Additional References