News NSA, Microsoft Issue Critical Cyberthreat Report to US Infrastructures Backed by Chinese State-Sponsored Actor

[Admin]

Popular Republic of China (PRC)-ed cybercriminal group Void Typhoon has been the target of a Cybersecurity Advisory bulletin for aiming to compromise critical US communications infrastructure.

NSA, Microsoft Issue Critical Cyberthreat Report to US Infrastructures Backed by Chinese State-Sponsored Actor : Read more

 

[Deleted member 2731765]

This group is still active ? I thought they went silent since last year or so. A very clever and dangerous cyber criminal group btw. They might have already compromised few things by now.

They also used custom versions of open-source tools like 'Impacket' and 'Fast Reverse Proxy (FRP)', to establish a command and control (C2) channel over proxy to further stay under the radar for several years.

Who knows that this group still proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers, firewalls, and VPN hardware). Very intelligent indeed.

 

[TechieTwo]

As noted in the joint announcement many of the routers are consumer based which makes them easy to hack and use for nefarious operations. The best option for many is a more secure router.

"Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet. Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface. By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure."

 

[Deleted member 2731765]

Yeah.

Also, Microsoft suggests enforcing strong multi-factor authentication (MFA) policies, hardening LSASS processes, and running endpoint detection and response (EDR) in block mode to protect against such stealthy attacks.

They are one of the most "Stealthy" cyber crime groups operating online, in my opinion, since they also carefully deleted and wiped out the evidence and proof of intrusions from the victim's logs. A lot of human talent is actually being wasted on such clever and nefarious activities.

Some say using Passwordless sign-in, password expiration rules, and deactivating unused accounts can also help mitigate this attack/risk, but I doubt this is also going to work that easily.

Because this hacker group also uses the "Windows Management Instrumentation Command-line" and the ping command to discover other systems on the network, apart from the command-line tool Ntdsutil.exe, and also PowerShell.

MS and CISCO actually gave some code snippets as examples. One of these, show the commands used by Volt Typhoon when setting up and removing a port proxy on an infiltrated system.

 

[Deleted member 2731765]

More proxies were found last week, many unsuccessful to stop this group yet, at least for now. More compromised SOHO network edge devices

 

[digitalgriffin]

More proxies were found last week, many unsuccessful to stop tis group yet, at least for now. More compromised SOHO network edge devices

No one patches them that's why.

 

[Deleted member 2731765]

This will keep on continuing till the internet is alive, hehe !

 

[digitalgriffin]

This will keep on continuing till the internet is alive, hehe !

*Hugs his pfSense box and bitdefender 2 box*