Jump to content
  • Microsoft says state-sponsored China actor targeting critical infrastructure in the US

    aum

    • 496 views
    • 3 minutes
     Share


    • 496 views
    • 3 minutes

    Microsoft has announced that Volt Typhoon, a Chinese state-sponsored actor, is targeting critical infrastructure organizations in the United States. The company said that Volt Typhoon is developing capabilities to disrupt critical communications infrastructure between the US and Asia - a capability that could come in handy during a crisis involving China.

     

    The malicious campaign has been going on since mid-2021 and is targeting organizations in Guam and the rest of the United States. Affected companies span multiple sectors including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.

     

    Microsoft Defender Antivirus and Microsoft Defender for Endpoint will let users know if they have been compromised by Volt Typhoon. On Microsoft Defender Antivirus, the following are related to Volt Typhoon:

     

    •     Behavior:Win32/SuspNtdsUtilUsage.A
    •     Behavior:Win32/SuspPowershellExec.E
    •     Behavior:Win32/SuspRemoteCmdCommandParent.A
    •     Behavior:Win32/UNCFilePathOperation
    •     Behavior:Win32/VSSAmsiCaller.A
    •     Behavior:Win32/WinrsCommand.A
    •     Behavior:Win32/WmiSuspProcExec.J!se
    •     Behavior:Win32/WmicRemote.A
    •     Behavior:Win32/WmiprvseRemoteProc.B

     

    If you use Microsoft Defender for Endpoint, you will see the following alert:

     

    •     Volt Typhoon threat actor detected

     

    Volt Typhoon may also cause the following prompts on Microsoft Defender for Endpoint but it’s not necessarily the cause:

     

    •     A machine was configured to forward traffic to a non-local address
    •     Ntdsutil collecting Active Directory information
    •     Password hashes dumped from LSASS memory
    •     Suspicious use of wmic.exe to execute code
    •     Impacket toolkit

     

    If you’ve been affected by Volt Typhoon, you should close or change the credentials for all compromised accounts. It is also advised that users examine the activity of compromised accounts to see what hackers may have done.

     

    If you don’t have the appropriate security measures in place, you may never know that the hackers were ever in your system. Microsoft said that the campaign is being done stealthily, including by blending into normal network activity by routing traffic through network equipment such as routers, firewalls, and VPN hardware.

     

    Microsoft has detailed extensively the Volt Typhoon activity. If you are interested in digging into the more technical details, be sure to read Microsoft’s blog post.

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...