The Chinese nation-state actor has been actively conducting espionage and information-gathering attacks on American systems since mid-2021. Credit: Smederevac / Getty Images Microsoft and a few American intelligence agencies have detected malware of Chinese origin deployed in critical infrastructure systems in Guam and elsewhere in the US.The malicious activity, focused on post-compromise credential access and network security discovery, has been linked to Volt Typhoon, a state-sponsored threat actor in China.“Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States,” Microsoft said in a blog post. “In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.” Guam hosts significant military installations of the US, including the Andersen Air Force Base, which plays a crucial role in the event of any potential conflicts in the Asia Pacific region, including a move against Taiwan. Volt Typhoon employs stealthy infectionMicrosoft has identified attacks containing a “Web Shell,” a malicious script enabling remote access to a server, deployed in home routers and other common internet-connected computer devices to make intrusion harder to track.Volt Typhoon issues commands via the command line of an infected system to collect data, including credentials from local and network systems, archiving them to stage exfiltration and use retrieved credentials to maintain persistence. The attacker gains initial entry into targeted organizations by exploiting internet-facing Fortinet FortiGuard devices. Microsoft is currently in the process of examining how Volt Typhoon manages to gain access to these devices.“The threat actor attempts to leverage any privileges afforded by the Fortinet device extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials,” Microsoft added.The attack directs all of its network traffic towards its targets by utilizing compromised small office/home office network edge devices, such as routers. Microsoft has verified that numerous devices, including those produced by Asus, Cisco, D-Link, Netgear, and Zyxel, have the capability for owners to expose HTTP or SSH management interfaces to the internet.In their post-compromise operations, Volt Typhoon rarely employs malware. Instead, they heavily rely on utilizing living-off-the-land commands to search for information within the system, identify other devices connected to the network, and extract data.Credential rotation and MFA are key to protectionAs mitigation steps, Microsoft has recommended closing or changing credentials for all compromised accounts. “Identify local security authority subsystem service (LSASS) dumping and domain controller installation media creation to identify affected accounts,” it added.Examining the activity of compromised accounts for any malicious actions or exposed data has also been advised. To reduce the risk of compromised legitimate accounts, Microsoft is encouraging customers to implement robust multifactor authentication (MFA) policies that utilize hardware security keys or Microsoft Authenticator. Additionally, passwordless sign-in, setting password expiration rules, and deactivating unused accounts can also be effective in mitigating the risks associated with this method of access.Protective process light (PPL) for LSASS, Windows Defender credential guard, and EDR in clock mode are a few licensed solutions Microsoft has recommended for its users to protect against such attacks. Related content brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe