Decoding the Volt Typhoon Attacks: In-Depth Analysis and Defense Strategies

Originally published by InsiderSecurity.

The Volt Typhoon campaign has raised alarms across cybersecurity circles, targeting critical infrastructure with stealthy and sophisticated techniques. This analysis breaks down the methods, exploitation tactics, and practical defenses organizations can employ to safeguard their systems.

Volt Typhoon Attacks

On May 24, 2023, Microsoft and the “Five Eyes Alliance” cybersecurity information sharing organization released a joint cybersecurity advisory, which detailed a series of activities related to the Volt Typhoon. According to Microsoft’s blog post, these malicious activities have been ongoing since mid-2021 and have targeted critical infrastructure sectors in Guam and the United States. The sectors affected include communication, manufacturing, utilities, transportation, construction, maritime, government, IT, and education.

What makes Volt Typhoon unique? Its reliance on Living-off-the-Land (LOLT) techniques. By avoiding custom malware or binaries, attackers evaded traditional antivirus and endpoint detection solutions, maintaining stealth while navigating compromised systems.

How to Detect and Respond to Advanced Threats

By leveraging behavioral analytics and anomaly detection, organizations can identify attackers across key stages of the attack lifecycle. Let’s break it down:

Stage 1: Entry and Credential Access

During the initial phase of the attack, the intruder managed to gain entry into the enterprise's intranet by initially infiltrating the router's management interface (step 1).

Subsequently, they discovered credentials stored within the router, allowing them to access the network's assets (step 2).

To illustrate this stage, let's consider a scenario where the attacker stumbled on the credential 'RouterAdmin1' stored within the router and utilized it to gain access to the domain servers present within the enterprise's network.

To detect steps (1) and (2) effectively, behavioural-based algorithms can be leveraged. By monitoring deviations in login behaviour, the following three use cases can trigger alerts when the 'RouterAdmin1' account is misused:

1. Odd Server Usage
2. Unusual Login Time
3. First-Time Server Login

Fig 2. How UEBA can Detect Step 2 of Volt Typhoon Attacks

In the 'Odd server usage' use case, advanced behavioural analysis can detect anomalies in the usage patterns of the 'RouterAdmin1' account. In the event of lateral movement, if the 'RouterAdmin1' account is being used to access servers in a way that deviates significantly from a user's previous patterns, an anomaly alert will be generated. For example, if an attacker gains access to the 'File server' and 'Mail server' by utilizing the 'RouterAdmin1' account instead of the authorized user's account, this would trigger an alert.

In the 'First-time login into server' use case, an anomaly alert will be promptly triggered when the account logs into the server for the first time.

In the 'Unusual login time' use case, an anomaly alert will be generated when the account logs into the server at a time that significantly deviates from its established login timing.

The convergence of these anomalies will increase the risk score associated with the 'RouterAdmin1' entity, strongly indicating malicious activities.

Stage 2: Command & Control

During stage 2 of the attack, the attacker utilizes the PSEXEC to execute commands on a remote server. PSEXEC.EXE, a Microsoft tool, enables privileged users to launch processes on a remote server. Based on the NSA’s document the attacker launches the NETSH.EXE command on the File server using PSEXEC.EXE in the Domain controller (step 3).

C:\pstools\psexec.exe" \\{REDACTED} -s cmd /c "cmd.exe /c "netsh interface portproxy 
delete v4tov4 listenaddress=0.0.0.0 listenport=9999"

The attacker was also observed executing the following command to establish a network connection tunnel.

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 
connectaddress={REDACTED} connectport=8443 protocol=tcp

Fig 3. Step 3 and Step 4 of Volt Typhoon Attacks

To effectively detect steps 3 and 4, which involve the execution of privileged actions, the following use cases can be leveraged:

1. Privileged Network Drive Access
2. Creation of New Service
3. New Network Service

Fig 4. How UEBA can Detect Step 3 and Step 4 of Volt Typhoon Attacks

In the use case of privileged network drive access, an anomaly alert will be triggered when the account accesses a privileged drive such as \\SERVER\ADMIN$. This hidden drive exists in Windows servers and enables privileged users to access the \Windows\ folder of the server. The \SERVER\ADMIN$ drive is commonly utilized by tools like PSEXEC to upload binaries into the server.

In the use case of creating a new service, an anomaly alert will be promptly generated when a new system service is created. A specific example of concern is the PSEXEC tool, which creates and launches PSEXESVC.EXE as a new system service after successfully uploading the binary.

In the use case of a new network service, an anomaly alert will be triggered upon the detection of new network connectivity or services. Specifically, this includes instances where NETSH.EXE is utilized to establish a network proxy that listens on TCP port 9999. Moreover, the network proxy is configured to forward incoming data to TCP port 8443 at the IP address 192.168.100.100.

The presence of the new network service listening on TCP port 9999, as well as the outgoing connection to 192.168.100.100 on TCP port 8443 can be identified by the network anomaly algorithm.

Stage 3: Reconnaissance and Defense Evasion

In stage 3 of the attack, the attacker executed a sequence of natively available commands to gather additional information (Step 5). These commands provide various information, including network settings, account details, running processes, and more. Finally, they attempted to clear the security log in order to conceal their tracks (Step 6).

Fig 5. Step 5 and Step 6 of Volt Typhoon Attacks

To detect steps 5 and 6 effectively, the following use cases can be leveraged:

1. Suspicious LOLBIN activity
2. Security Log Cleared

Fig 6. How UEBA can Detect Step 5 and Step 6 of Volt Typhoon Attacks

In the use case of suspicious LOLBin (Living-off-the-Land Binary) activity, an anomaly alert will be generated when a series of native commands are executed in a pattern that closely resembles the activities typically carried out by an attacker during reconnaissance and maintaining access.

These are the specific LOLBin commands outlined in the advisory released by the NSA pertaining to the campaign:

Fig 7. Specific LOLBin Commands in Volt Typhoon

In the use case of security log clearance, an anomaly alert will be triggered when the account attempts to clear the security event log. This deliberate action poses a significant concern as it obstructs forensic analysis and investigation, especially when the victim lacks access to the audit trail.

This underscores the importance of forwarding the audit log to a secure and resilient log storage facility to preserve crucial evidence for future analysis.

Why Behavioral Analytics Over Traditional SIEM?

In the previous sections, we discussed the use cases for detecting stealthy attackers in a network. While one can try to use a SIEM (Security Information and Event Management) solution to implement some of these use cases, there are significant limitations to consider when using a SIEM solution for such use cases.

For example, monitoring Event ID 1102 can help detect the clearing of security logs, while Event ID 5145 can identify privileged network drive access. However, enabling these alerts in a SIEM may overwhelm the security team with numerous alerts, including many that are benign or unrelated to malicious activity.

To address this challenge, UEBA (User and Entity Behavior Analytics) will be an effective approach. UEBA continuously triages and compares activity against the historical behavioural of entities. The security team is only notified when behavioural changes linked to relevant use cases are detected, minimizing alert fatigue.

By leveraging UEBA, security alerts are analyzed in the context of an entity's overall behaviour, allowing for a more accurate and targeted detection of suspicious activities. This approach significantly reduces the number of false positives and focuses attention on the most relevant alerts, improving the efficiency and effectiveness of the security team's response to potential threats.

Fig 8. UEBA send a security ticket to users

Recommendations to Protect Your Organization

To defend against sophisticated campaigns like Volt Typhoon:

1. Restrict direct internet access to router management interfaces.
2. Store credentials at lower privilege levels.
3. Enforce robust authentication for all assets.
4. Centralize and secure audit logs for forensic analysis.

Continuously monitor logs for anomalies in identity, network, and asset behavior.

Pro Tip: Implement UEBA for proactive detection and response to stealthy threats.