-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathPRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure
1456 lines (1399 loc) · 127 KB
/
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
JOINT CYBERSECURITY ADVISORIY ID: AA24-038a, FEBURARY 7, 2024
This document is marked TLP:CLEAR. Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol, see cisa.gov/tlp.
SUMMARY
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.
CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus):
• U.S. Department of Energy (DOE)
• U.S. Environmental Protection Agency (EPA)
• U.S. Transportation Security Administration (TSA)
• Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment (CSE)
• United Kingdom National Cyber Security Centre (NCSC-UK)
• New Zealand National Cyber Security Centre (NCSC-NZ)
The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. CCCS assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors.
As the authoring agencies have previously highlighted, the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.
The authoring agencies urge critical infrastructure organizations to apply the mitigations in this advisory and to hunt for similar malicious activity using the guidance herein provided, along with the recommendations found in joint guide Identifying and Mitigating Living Off the Land Techniques. These mitigations are primarily intended for IT and OT administrators in critical infrastructure organizations. Following the mitigations for prevention of or in response to an incident will help disrupt Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities.
If activity is identified, the authoring agencies strongly recommend that critical infrastructure organizations apply the incident response recommendations in this advisory and report the incident to the relevant agency (see Contact Information section).
For additional information, see joint advisory People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection and U.S. Department of Justice (DOJ) press release U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage.
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See Appendix C: MITRE ATT&CK Tactics and Techniques section for tables of the Volt Typhoon cyber threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview of Activity
In May 2023, the authoring agencies—working with industry partners—disclosed information about activity attributed to Volt Typhoon (see joint advisory People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection). Since then, CISA, NSA, and FBI have determined that this activity is part of a broader campaign in which Volt Typhoon actors have successfully infiltrated the networks of critical infrastructure organizations in the continental and non-continental United States and its territories, including Guam.
The U.S. authoring agencies have primarily observed compromises linked to Volt Typhoon in Communications, Energy, Transportation Systems, and Water and Wastewater Systems sector organizations’ IT networks. Some victims are smaller organizations with limited cybersecurity capabilities that provide critical services to larger organizations or key geographic locations.
Volt Typhoon actors tailor their TTPs to the victim environment; however, the U.S. authoring agencies have observed the actors typically following the same pattern of behavior across identified intrusions. Their choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable the disruption of OT functions across multiple critical infrastructure sectors (see Figure 1).
1. Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s network architecture and operational protocols. This reconnaissance includes identifying network topologies, security measures, typical user behaviors, and key network and IT staff. The intelligence gathered by Volt Typhoon actors is likely leveraged to enhance their operational security. For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities.
2. Volt Typhoon typically gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network appliances (e.g., routers, virtual private networks [VPNs], and firewalls) and then connects to the victim’s network via VPN for follow-on activities.
3. Volt Typhoon aims to obtain administrator credentials within the network, often by exploiting privilege escalation vulnerabilities in the operating system or network services. In some cases, Volt Typhoon has obtained credentials insecurely stored on a public-facing network appliance.
4. Volt Typhoon uses valid administrator credentials to move laterally to the domain controller (DC) and other devices via remote access services such as Remote Desktop Protocol (RDP).
5. Volt Typhoon conducts discovery in the victim’s network, leveraging LOTL binaries for stealth. A key tactic includes using PowerShell to perform targeted queries on Windows event logs, focusing on specific users and periods. These queries facilitate the discreet extraction of security event logs into .dat files, allowing Volt Typhoon actors to gather critical information while minimizing detection. This strategy, blending in-depth pre-compromise reconnaissance with meticulous post-exploitation intelligence collection, underscores their sophisticated and strategic approach to cyber operations.
6. Volt Typhoon achieves full domain compromise by extracting the Active Directory database (NTDS.dit) from the DC. Volt Typhoon frequently employs the Volume Shadow Copy Service (VSS) using command-line utilities such as vssadmin to access NTDS.dit. The NTDS.dit file is a centralized repository that contains critical Active Directory data, including user accounts, passwords (in hashed form), and other sensitive data, which can be leveraged for further exploitation. This method entails the creation of a shadow copy—a point-in-time snapshot—of the volume hosting the NTDS.dit file. By leveraging this snapshot, Volt Typhoon actors effectively bypass the file locking mechanisms inherent in a live Windows environment, which typically prevent direct access to the NTDS.dit file while the domain controller is operational.
7. Volt Typhoon likely uses offline password cracking techniques to decipher these hashes. This process involves extracting the hashes from the NTDS.dit file and then applying various password cracking methods, such as brute force attacks, dictionary attacks, or more sophisticated techniques like rainbow tables to uncover the plaintext passwords. The successful decryption of these passwords allows Volt Typhoon actors to obtain elevated access and further infiltrate and manipulate the network.
8. Volt Typhoon uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets. Volt Typhoon actors have been observed testing access to domain-joint OT assets using default OT vendor credentials, and in certain instances, they have possessed the capability to access OT systems whose credentials were compromised via NTDS.dit theft. This access enables potential disruptions, such as manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures (in some cases, Volt Typhoon actors had the capability to access camera surveillance systems at critical infrastructure facilities). In one confirmed compromise, Volt Typhoon actors moved laterally to a control system and were positioned to move to a second control system.
After successfully gaining access to legitimate accounts, Volt Typhoon actors exhibit minimal activity within the compromised environment (except discovery as noted above), suggesting their objective is to maintain persistence rather than immediate exploitation. This assessment is supported by observed patterns where Volt Typhoon methodically re-targets the same organizations over extended periods, often spanning several years, to continuously validate and potentially enhance their unauthorized accesses. Evidence of their meticulous approach is seen in instances where they repeatedly exfiltrate domain credentials, ensuring access to current and valid accounts. For example, in one compromise, Volt Typhoon likely extracted NTDS.dit from three domain controllers in a four-year period. In another compromise, Volt Typhoon actors extracted NTDS.dit two times from a victim in a nine-month period.
Industry reporting—identifying that Volt Typhoon actors are silent on the network following credential dumping and perform discovery to learn about the environment, but do not exfiltrate data—is consistent with the U.S. authoring agencies’ observations. This indicates their aim is to achieve and maintain persistence on the network. In one confirmed compromise, an industry partner observed Volt Typhoon actors dumping credentials at regular intervals.
In addition to leveraging stolen account credentials, the actors use LOTL techniques and avoid leaving malware artifacts on systems that would cause alerts. Their strong focus on stealth and operational security allows them to maintain long-term, undiscovered persistence. Further, Volt Typhoon’s operational security is enhanced by targeted log deletion to conceal their actions within the compromised environment.
See the below sections for Volt Typhoon TTPs observed by the U.S. authoring agencies from multiple confirmed Volt Typhoon compromises.
Observed TTPs
Reconnaissance
Volt Typhoon actors conduct extensive pre-compromise reconnaissance [TA0043] to learn about the target organization [T1591], its network [T1590], and its staff [T1589]. This includes web searches [T1593]—including victim-owned sites [T1594]—for victim host [T1592], identity, and network information, especially for information on key network and IT administrators. According to industry reporting, Volt Typhoon actors use FOFA[1], Shodan, and Censys for querying or searching for exposed infrastructure. In some instances, the U.S. authoring agencies have observed Volt Typhoon actors targeting the personal emails of key network and IT staff [T1589.002] post compromise.
Resource Development
Historically, Volt Typhoon actors use multi-hop proxies for command and control (C2) infrastructure [T1090.003]. The proxy is typically composed of virtual private servers (VPSs) [T1583.003] or small office/home office (SOHO) routers. Recently, Volt Typhoon actors used Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support their operations [T1584.005]. (See DOJ press release U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure for more information).
Initial Access
To obtain initial access [TA0001], Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco [T1190]. They often use publicly available exploit code for known vulnerabilities [T1588.005] but are also adept at discovering and exploiting zero-day vulnerabilities [T1587.004].
• In one confirmed compromise, Volt Typhoon actors likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched. There is evidence of a buffer overflow attack identified within the Secure Sockets Layer (SSL)-VPN crash logs.
Once initial access is achieved, Volt Typhoon actors typically shift to establishing persistent access [TA0003]. They often use VPN sessions to securely connect to victim environments [T1133], enabling discreet follow-on intrusion activities. This tactic not only provides a stable foothold in the network but also allows them to blend in with regular traffic, significantly reducing their chances of detection.
Execution
Volt Typhoon actors rarely use malware for post-compromise execution. Instead, once Volt Typhoon actors gain access to target environments, they use hands-on-keyboard activity via the command-line [T1059] and other native tools and processes on systems [T1218] (often referred to as “LOLBins”), known as LOTL, to maintain and expand access to the victim networks. According to industry reporting, some “commands appear to be exploratory or experimental, as the operators [i.e., malicious actors] adjust and repeat them multiple times.”[2]
For more details on LOTL activity, see the Credential Access and Discovery sections and Appendix A: Volt Typhoon LOTL Activity.
Similar to LOTL, Volt Typhoon actors also use legitimate but outdated versions of network admin tools. For example, in one confirmed compromise, actors downloaded [T1105] an outdated version of comsvcs.dll on the DC in a non-standard folder. comsvcs.dll is a legitimate Microsoft Dynamic Link Library (DLL) file normally found in the System32 folder. The actors used this DLL with MiniDump and the process ID of the Local Security Authority Subsystem Service (LSASS) to dump the LSASS process memory [T1003.001] and obtain credentials (LSASS process memory space contains hashes for the current user’s operating system (OS) credentials).
The actors also use legitimate non-native network admin and forensic tools. For example, Volt Typhoon actors have been observed using Magnet RAM Capture (MRC) version 1.20 on domain controllers. MRC is a free imaging tool that captures the physical memory of a computer, and Volt Typhoon actors likely used it to analyze in-memory data for sensitive information (such as credentials) and in-transit data not typically accessible on disk. Volt Typhoon actors have also been observed implanting Fast Reverse Proxy (FRP) for command and control.[3] (See the Command and Control section).
Persistence
Volt Typhoon primarily relies on valid credentials for persistence [T1078].
Defense Evasion
Volt Typhoon has strong operational security. Their actors primarily use LOTL for defense evasion [TA0005], which allows them to camouflage their malicious activity with typical system and network behavior, potentially circumventing simplistic endpoint security capabilities. For more information, see joint guide Identifying and Mitigating Living off the Land Techniques.
Volt Typhoon actors also obfuscate their malware. In one confirmed compromise, Volt Typhoon obfuscated FRP client files (BrightmetricAgent.exe and SMSvcService.exe) and the command-line port scanning utility ScanLine by packing the files with Ultimate Packer for Executables (UPX) [T1027.002]. FRP client applications support encryption, compression, and easy token authentication and work across multiple protocols—including transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), and hypertext transfer protocol secure (HTTPS). The FRP client applications use the Kuai connection protocol (KCP) for error-checked and anonymous data stream delivery over UDP, with packet-level encryption support. See Appendix C and CISA Malware Analysis Report (MAR)-10448362-1.v1 for more information.
In addition to LOTL and obfuscation techniques, Volt Typhoon actors have been observed selectively clearing Windows Event Logs [T1070.001], system logs, and other technical artifacts to remove evidence [T1070.009] of their intrusion activity and masquerading file names [T1036.005].
Credential Access
Volt Typhoon actors first obtain credentials from public-facing appliances after gaining initial access by exploiting privilege escalation vulnerabilities [T1068] in the operating system or network services.
In some cases, they have obtained credentials insecurely stored on the appliance [
T1552]. In one instance, where Volt Typhoon likely exploited CVE-2022-42475 in an unpatched Fortinet device, Volt Typhoon actors compromised a domain admin account stored inappropriately on the device.
Volt Typhoon also consistently obtains valid credentials by extracting the Active Directory database file (NTDS.dit)—in some cases multiple times from the same victim over long periods [T1003.003]. NTDS.dit contains usernames, hashed passwords, and group memberships for all domain accounts, essentially allowing for full domain compromise if the hashes can be cracked offline.
To obtain NTDS.dit, the U.S. authoring agencies have observed Volt Typhoon:
1. Move laterally [TA0008] to the domain controller via an interactive RDP session using a compromised account with domain administrator privileges [T1021.001];
2. Execute the Windows-native vssadmin [T1006] command to create a volume shadow copy;
3. Use Windows Management Instrumentation Console (WMIC) commands [T1047] to execute ntdsutil (a LOTL utility) to copy NTDS.dit and SYSTEM registry hive from the volume shadow copy; and
4. Exfiltrate [TA0010] NTDS.dit and SYSTEM registry hive to crack passwords offline) [T1110.002]. (For more details, including specific commands used, see Appendix A: Volt Typhoon LOTL Activity.) Note: A volume shadow copy contains a copy of all the files and folders that exist on the specified volume. Each volume shadow copy created on a DC includes its NTDS.dit and the SYSTEM registry hive, which provides keys to decrypt the NTDS.dit file.
Volt Typhoon actors have also been observed interacting with a PuTTY application by enumerating existing stored sessions [T1012]. Given this interaction and the exposure of cleartext-stored proxy passwords used in remote administration, Volt Typhoon actors potentially had access to PuTTY profiles that allow access to critical systems (see the Lateral Movement section).
According to industry reporting, Volt Typhoon actors attempted to dump credentials through LSASS (see Appendix B for commands used).[2]
The U.S. authoring agencies have observed Volt Typhoon actors leveraging Mimikatz to harvest credentials, and industry partners have observed Volt Typhoon leveraging Impacket.[2]
• Mimikatz is a credential dumping tool and Volt Typhoon actors use it to obtain credentials. In one confirmed compromise, the Volt Typhoon used RDP to connect to a server and run Mimikatz after leveraging a compromised administrator account to deploy it.
• Impacket is an open source Python toolkit for programmatically constructing and manipulating network protocols. It contains tools for Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks—as well as remote service execution.
Discovery
Volt Typhoon actors have been observed using commercial tools, LOTL utilities, and appliances already present on the system for system information [T1082], network service [T1046], group [T1069] and user [T1033] discovery.
Volt Typhoon uses at least the following LOTL tools and commands for system information, network service, group, and user discovery techniques:
• cmd
• certutil
• dnscmd
• ldifde
• makecab
• net user/group/use
• netsh
• nltest
• netstat
• ntdsutil
• ping
• PowerShell
• quser
• reg query/reg save
• systeminfo
• tasklist
• wevtutil
• whoami
• wmic
• xcopy
Some observed specific examples of discovery include:
• Capturing successful logon events [T1654].
o Specifically, in one incident, analysis of the PowerShell console history of a domain controller indicated that security event logs were directed to a file named user.dat, as evidenced by the executed command Get-EventLog security -instanceid 4624 -after [year-month-date] | fl * | Out-File 'C:\users\public\documents\user.dat'. This indicates the group's specific interest in capturing successful logon events (event ID 4624) to analyze user authentication patterns within the network. Additionally, file system analysis, specifically of the Master File Table (MFT), uncovered evidence of a separate file, systeminfo.dat, which was created in C:\Users\Public\Documents but subsequently deleted [T1070.004]. The presence of these activities suggests a methodical approach by Volt Typhoon actors in collecting and then possibly removing traces of sensitive log information from the compromised system.
• Executing tasklist /v to gather a detailed process listing [T1057], followed by executing taskkill /f /im rdpservice.exe (the function of this executable is not known).
• Executing net user and quser for user account information [T1087.001].
• Creating and accessing a file named rult3uil.log on a domain controller in C:\Windows\System32\. The rult3uil.log file contained user activities on a compromised system, showcasing a combination of window title information [T1010] and focus shifts, keypresses, and command executions across Google Chrome and Windows PowerShell, with corresponding timestamps.
• Employing ping with various IP addresses to check network connectivity [T1016.001] and net start to list running services [T1007].
See Appendix A for additional LOTL examples.
In one confirmed compromise, Volt Typhoon actors attempted to use Advanced IP Scanner, which was on the network for admin use, to scan the network.
Volt Typhoon actors have been observed strategically targeting network administrator web browser data—focusing on both browsing history and stored credentials [T1555.003]—to facilitate targeting of personal email addresses (see the Reconnaissance section) for further discovery and possible network modifications that may impact the threat actor’s persistence within victim networks.
In one confirmed compromise:
• Volt Typhoon actors obtained the history file from the User Data directory of a network administrator user’s Chrome browser. To obtain the history file, Volt Typhoon actors first executed an RDP session to the user’s workstation where they initially attempted, and failed, to obtain the C$ File Name: users\{redacted}\appdata\local\Google\Chrome\UserData\default\History file, as evidenced by the accompanying 1016 (reopen failed) SMB error listed in the application event log. The threat actors then disconnected the RDP session to the workstation and accessed the file C:\Users\{redacted}\Downloads\History.zip. This file presumably contained data from the User Data directory of the user’s Chrome browser, which the actors likely saved in the Downloads directory for exfiltration [T1074]. Shortly after accessing the history.zip file, the actors terminated RDP sessions.
• About four months later, Volt Typhoon actors accessed the same user’s Chrome data C$ File Name: Users\{redacted}\AppData\Local\Google\Chrome\User Data\Local State and $ File Name: Users\{redacted}\AppData\Local\Google\Chrome\User Data\Default\Login Data via SMB. The Local State file contains the Advanced Encryption Standard (AES) encryption key [T1552.004] used to encrypt the passwords stored in the Chrome browser, which would enable the actors to obtain plaintext passwords stored in the Login Data file in the Chrome browser.
In another confirmed compromise, Volt Typhoon actors accessed directories containing Chrome and Edge user data on multiple systems. Directory interaction was observed over the network to paths such as C:\Users\{redacted}\AppData\Local\Google\Chrome\User Data\ and C:\Users\{redacted}\AppData\Local\Microsoft\Edge\User Data\. They also enumerated several directories, including directories containing vulnerability testing and cyber related content and facilities data, such as construction drawings [T1083].
Lateral Movement
For lateral movement, Volt Typhoon actors have been observed predominantly employing RDP with compromised valid administrator credentials. Note: With a full on-premises Microsoft Active Directory identity compromise (see the Credential Access section), the group may be capable of using other methods such as Pass the Hash or Pass the Ticket for lateral movement [T1550].
In one confirmed compromise of a Water and Wastewater Systems Sector entity, after obtaining initial access, Volt Typhoon actors connected to the network via a VPN with administrator credentials they obtained and opened an RDP session with the same credentials to move laterally. Over a nine-month period, they moved laterally to a file server, a domain controller, an Oracle Management Server (OMS), and a VMware vCenter server. The actors obtained domain credentials from the domain controller and performed discovery, collection, and exfiltration on the file server (see the Discovery and Collection and Exfiltration sections).
Volt Typhoon’s movement to the vCenter server was likely strategic for pre-positioning to OT assets. The vCenter server was adjacent to OT assets, and Volt Typhoon actors were observed interacting with the PuTTY application on the server by enumerating existing stored sessions. With this information, Volt Typhoon potentially had access to a range of critical PuTTY profiles, including those for water treatment plants, water wells, an electrical substation, OT systems, and network security devices. This would enable them to access these critical systems [
T1563].
Additionally, Volt Typhoon actors have been observed using PSExec to execute remote processes, including the automated acceptance of the end-user license agreement (EULA) through an administrative account, signified by the accepteula command flag.
Volt Typhoon actors may have attempted to move laterally to a cloud environment in one victim’s network but direct attribution to the Volt Typhoon group was inconclusive. During the period of the their known network presence, there were anomalous login attempts to an Azure tenant [T1021.007] potentially using credentials [T1078.004] previously compromised from theft of NTDS.dit. These attempts, coupled with misconfigured virtual machines with open RDP ports, suggested a potential for cloud-based lateral movement. However, subsequent investigations, including password changes and multifactor authentication (MFA) implementations, revealed authentication failures from non-associated IP addresses, with no definitive link to Volt Typhoon.
Collection and Exfiltration
The U.S. authoring agencies assess Volt Typhoon primarily collects information that would facilitate follow-on actions with physical impacts. For example, in one confirmed compromise, they collected [TA0009] sensitive information obtained from a file server in multiple zipped files [T1560] and likely exfiltrated [TA0010] the files via Server Message Block (SMB) [T1048] (see Figure 3). Collected information included diagrams and documentation related to OT equipment, including supervisory control and data acquisition (SCADA) systems, relays, and switchgear. This data is crucial for understanding and potentially impacting critical infrastructure systems, indicating a focus on gathering intelligence that could be leveraged in actions targeting physical assets and systems.
In another compromise, Volt Typhoon actors leveraged WMIC to create and use temporary directories (C:\Users\Public\pro, C:\Windows\Temp\tmp, C:\Windows\Temp\tmp\Active Directory and C:\Windows\Temp\tmp\registry) to stage the extracted ntds.dit and SYSTEM registry hives from ntdsutil execution volume shadow copies (see the Credential Access section) obtained from two DCs. They then compressed and archived the extracted ntds.dit and accompanying registry files by executing ronf.exe, which was likely a renamed version of the archive utility rar.exe) [T1560.001].
Command and Control
Volt Typhoon actors have been observed leveraging compromised SOHO routers and virtual private servers (VPS) to proxy C2 traffic. For more information, see DOJ press release U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure).
They have also been observed setting up FRP clients [T1090] on a victim’s corporate infrastructure to establish covert communications channels [T1573] for command and control. In one instance, Volt Typhoon actors implanted the FRP client with filename SMSvcService.exe on a Shortel Enterprise Contact Center (ECC) server and a second FRP client with filename Brightmetricagent.exe on another server. These clients, when executed via PowerShell [T1059.001], open reverse proxies between the compromised system and Volt Typhoon C2 servers. Brightmetricagent.exe has additional capabilities. The FRP client can locate servers behind a network firewall or obscured through Network Address Translation (NAT) [
T1016]. It also contains multiplexer libraries that can bi-directionally stream data over NAT networks and contains a command-line interface (CLI) library that can leverage command shells such as PowerShell, Windows Management Instrumentation (WMI), and Z Shell (zsh) [T1059.004]. See Appendix C and MAR-10448362-1.v1 for more information.
In the same compromise, Volt Typhoon actors exploited a Paessler Router Traffic Grapher (PRTG) server as an intermediary for their FRP operations. To facilitate this, they used the netsh command, a legitimate Windows command, to create a PortProxy registry modification [T1112] on the PRTG server [T1090.001]. This key alteration redirected specific port traffic to Volt Typhoon’s proxy infrastructure, effectively converting the PRTG’s server into a proxy for their C2 traffic [T1584.004] (see Appendix B for details).
DETECTION/HUNT RECOMMENDATIONS
Apply Living off the Land Detection Best Practices
Apply the prioritized detection and hardening best practice recommendations provided in joint guide Identifying and Mitigating Living off the Land Techniques. Many organizations lack security and network management best practices (such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting. Conventional IOCs associated with the malicious activity are generally lacking, complicating network defenders’ efforts to identify, track, and categorize this sort of malicious behavior. This advisory provides guidance for a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Review Application, Security, and System Event Logs
Routinely review application, security, and system event logs, focusing on Windows Extensible Storage Engine Technology (ESENT) Application Logs. Due to Volt Typhoon’s ability for long-term undetected persistence, network defenders should assume significant dwell time and review specific application event log IDs, which remain on endpoints for longer periods compared to security event logs and other ephemeral artifacts. Focus on Windows ESENT logs because certain ESENT Application Log event IDs (216, 325, 326, and 327) may indicate actors copying NTDS.dit.
See Table 1 for examples of ESENT and other key log indicators that should be investigated. Please note that incidents may not always have exact matches listed in the Event Detail column due to variations in event logging and TTPs.
Table 1: Key Log Indicators for Detecting Volt Typhoon Activity
------------------------------------------------------------------
Evenet ID (Log) | Event Detail | Description
216 (Windows ESENT Application Log) | A database location change was detected from 'C:\Windows\NTDS\ntds.dit' to '\\?\GLOBALROOT\Device\{redacted}VolumeShadowCopy1\Windows\NTDS\ntds.dit' | A change in the NTDS.dit database location is detected. This could suggest an initial step in NTDS credential dumping where the database is being prepared for extraction.
325 (Windows ESENT Application Log) | The database engine created a new database (2, C:\Windows\Temp\tmp\Active Directory\ntds.dit). | Indicates creation of a new NTDS.dit file in a non-standard directory. Often a sign of data staging for exfiltration. Monitor for unusual database operations in temp directories.
637 (Windows ESENT Application Log) | C:\Windows\Temp\tmp\Active Directory\ntds.jfm-++- (0) New flush map file “C:\Windows\Temp\tmp\Active Directory\ntds.jfm” will be created to enable persisted lost flush detection.| A new flush map file is being created for NTDS.dit. This may suggest ongoing operations related to NTDS credential dumping, potentially capturing uncommitted changes to the NTDS.dit file.
326 (Windows ESENT Application Log) | NTDS-++-12460,D,100-++--++-1-++-
C:\$SNAP_{redacted}_VOLUMEC$\Windows\NTDS\ntds.dit-++-0-++- [1] The database engine attached a database. Began mounting of C:\Windows\NTDS\ntds.dit file created from volume shadow copy process | Represents the mounting of an NTDS.dit file from a volume shadow copy. This is a critical step in NTDS credential dumping, indicating active manipulation of a domain controller’s data.
327 (Windows ESENT Application Log) | C:\Windows\Temp\tmp\Active Directory\ntds.dit-++-1-++- [1] The database engine detached a database (2, C:\Windows\Temp\tmp\Active Directory\ntds.dit). Completion of mounting of ntds.dit file to C:\Windows\Temp\tmp\Active Director | The detachment of a database, particularly in a temp directory, could indicate the completion of a credential dumping process, potentially as part of exfiltration preparations.
21 (Windows Terminal Services Local Session Manager Operational Log) | Remote Desktop Services: Session logon succeeded: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted} | Successful authentication to a Remote Desktop Services session.
22 (Windows Terminal Services Local Session Manager Operational Log) | Remote Desktop Services: Shell start notification received: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted} | Successful start of a new Remote Desktop session. This may imply lateral movement or unauthorized remote access, especially if the user or session is unexpected.
23 (Windows Terminal Services Local Session Manager Operational Log) | Remote Desktop Services: Session logoff succeeded: User: {redacted}\{redacted} Session ID: {redacted} | Successful logoff of Remote Desktop session.
24 (Windows Terminal Services Local Session Manager Operational Log) | Remote Desktop Services: Session has been disconnected: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted} | Remote Desktop session disconnected by user or due to network connectivity issues.
25 (Windows Terminal Services Local Session Manager Operational Log) | Remote Desktop Services: Session reconnection succeeded: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted} | Successful reconnection to a Remote Desktop Services session. This may imply lateral movement or unauthorized remote access, especially if the user or session is unexpected.
1017 (Windows System Log) | Handle scavenged.
Share Name: C$
File Name:
users\{redacted}\downloads\History.zip Durable: 1 Resilient or Persistent: 0 Guidance: The server closed a handle that was previously reserved for a client after 60 seconds. | Indicates the server closed a handle for a client. While common in network operations, unusual patterns or locations (like History.zip in a user’s downloads) may suggest data collection from a local system.
1102 (Windows Security Log) | All | All Event ID 1102 entries should be investigated as logs are generally not cleared and this is a known Volt Typhoon tactic to cover their tracks.
------------------------------------------------------------------
Monitor and Review OT System Logs
• Review access logs for communication paths between IT and OT networks, looking for anomalous accesses or protocols.
• Measure the baseline of normal operations and network traffic for the industrial control system (ICS) and assess traffic anomalies for malicious activity.
• Configure intrusion detection systems (IDS) to create alarms for any ICS network traffic outside normal operations.
• Track and monitor audit trails on critical areas of ICS.
• Set up security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.
Review CISA’s Recommended Cybersecurity Practices for Industrial Control Systems and the joint advisory, NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems, for further OT system detection and mitigation guidance.
Use gait to Detect Possible Network Proxy Activities
Use gait[4] to detect network proxy activities. Developed by Sandia National Labs, gait is a publicly available Zeek[5] extension. The gait extension can help enrich Zeek’s network connection monitoring and SSL logs by including additional metadata in the logs. Specifically, gait captures unique TCP options and timing data such as a TCP, transport layer security (TLS), and Secure Shell (SSH) layer inferred round trip times (RTT), aiding in the identification of the software used by both endpoints and intermediaries.
While the gait extension for Zeek is an effective tool for enriching network monitoring logs with detailed metadata, it is not specifically designed to detect Volt Typhoon actor activities. The extension’s capabilities extend to general anomaly detection in network traffic, including—but not limited to—proxying activities. Therefore, while gait can be helpful in identifying tactics similar to those used by Volt Typhoon, such as proxy networks and FRP clients for C2 communication, not all proxying activities detected by using this additional metadata are necessarily indicative of Volt Typhoon presence. It serves as a valuable augmentation to current security stacks for a broader spectrum of threat detection.
For more information, see Sandia National Lab’s gait GitHub page sandialabs/gait: Zeek Extension to Collect Metadata for Profiling of Endpoints and Proxies.
Review Logins for Impossible Travel
Examine VPN or other account logon times, frequency, duration, and locations. Logons from two geographically distant locations within a short timeframe from a single user may indicate an account is being used maliciously. Logons of unusual frequency or duration may indicate a threat actor attempting to access a system repeatedly or maintain prolonged sessions for the purpose of data extraction.
Review Standard Directories for Unusual Files
Review directories, such as C:\windows\temp\ and C:\users\public\, for unexpected or unusual files. Monitor these temporary file storage directories for files typically located in standard system paths, such as the System32 directory. For example, Volt Typhoon has been observed downloading comsvcs.dll to a non-standard folder (this file is normally found in the System32 folder).
INCIDENT RESPONSE
If compromise, or potential compromise, is detected, organizations should assume full domain compromise because of Volt Typhoon’s known behavioral pattern of extracting the NTDS.dit from the DCs. Organizations should immediately implement the following immediate, defensive countermeasures:
1. Sever the enterprise network from the internet. Note: this step requires the agency to understand its internal and external connections. When making the decision to sever internet access, knowledge of connections must be combined with care to avoid disrupting critical functions.
a. If you cannot sever from the internet, shutdown all non-essential traffic between the affected enterprise network and the internet.
2. Reset credentials of privileged and non-privileged accounts within the trust boundary of each compromised account.
a. Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and kbrtgt. The kbrtgt account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The kbrtgt account should be reset twice because the account has a two-password history. The first account reset for the kbrtgt needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to FCEB agencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to organizations with Windows AD compromise.
i) Review access policies to temporarily revoke privileges/access for affected accounts/devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.
b. Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions.
i) Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access.
2. Audit all network appliance and edge device configurations with indicators of malicious activity for signs of unauthorized or malicious configuration changes. Organizations should ensure they audit the current network device running configuration and any local configurations that could be loaded at boot time. If configuration changes are identified:
a. Change all credentials being used to manage network devices, to include keys and strings used to secure network device functions (SNMP strings/user credentials, IPsec/IKE preshared keys, routing secrets, TACACS/RADIUS secrets, RSA keys/certificates, etc.).
b. Update all firmware and software to the latest version.
3. Report the compromise to an authoring agency (see the Contact Information section).
4. For organizations with cloud or hybrid environments, apply best practices for identity and credential access management.
a. Verify that all accounts with privileged role assignments are cloud native, not synced from Active Directory.
b. Audit conditional access policies to ensure Global Administrators and other highly privileged service principals and accounts are not exempted.
c. Audit privileged role assignments to ensure adherence to the principle of least privilege when assigning privileged roles.
d. Leverage just-in-time and just-enough access mechanisms when administrators need to elevate to a privileged role.
e. In hybrid environments, ensure federated systems (such as AD FS) are configured and monitored properly.
f. Audit Enterprise Applications for recently added applications and examine the API permissions assigned to each.
5. Reconnect to the internet. Note: The decision to reconnect to the internet depends on senior leadership’s confidence in the actions taken. It is possible—depending on the environment—that new information discovered during pre-eviction and eviction steps could add additional eviction tasks.
6. Minimize and control use of remote access tools and protocols by applying best practices from joint Guide to Securing Remote Access Software and joint Cybersecurity Information Sheet: Keeping PowerShell: Security Measures to Use and Embrace.
7. Consider sharing technical information with an authoring agency and/or a sector-specific information sharing and analysis center.
For more information on incident response and remediation, see:
• Joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity. This advisory provides incident response best practices.
• CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to U.S. Federal Civilian Executive Branch (FCEB) agencies, the playbooks are applicable to all organizations. The incident response playbook provides procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents.
• Joint Water and Wastewater Sector - Incident Response Guide. This joint guide provides incident response best practices and information on federal resources for Water and Wastewater Systems Sector organizations.
MITIGATIONS
The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of Volt Typhoon activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
IT Network Administrators and Defenders
Harden the Attack Surface
• Apply patches for internet-facing systems within a risk-informed span of time [CPG 1E]. Prioritize patching critical assets, known exploited vulnerabilities, and vulnerabilities in appliances known to be frequently exploited by Volt Typhoon (e.g., Fortinet, Ivanti, NETGEAR, Citrix, and Cisco devices).
• Apply vendor-provided or industry standard hardening guidance to strengthen software and system configurations. Note: As part of CISA’s Secure by Design campaign, CISA urges software manufacturers to prioritize secure by default configurations to eliminate the need for customer implementation of hardening guidelines.
• Maintain and regularly update an inventory of all organizational IT assets [CPG 1A].
• Use third party assessments to validate current system and network security compliance via security architecture reviews, penetration tests, bug bounties, attack surface management services, incident simulations, or table-top exercises (both announced and unannounced) [CPG 1F].
• Limit internet exposure of systems when not necessary. An organization’s primary attack surface is the combination of the exposure of all its internet-facing systems. Decrease the attack surface by not exposing systems or management interfaces to the internet when not necessary.
Secure Credentials
• Do not store credentials on edge appliances/devices. Ensure edge devices do not contain accounts that could provide domain admin access.
• Do not store plaintext credentials on any system [CPG 2L]. Credentials should be stored securely—such as with a credential/password manager or vault, or other privileged account management solutions—so they can only be accessed by authenticated and authorized users.
• Change default passwords [CPG 2A] and ensure they meet the policy requirements for complexity.
• Implement and enforce an organizational system-enforced policy that:
o Requires passwords for all IT password-protected assets to be at least 15 characters;
o Does not allow users to reuse passwords for accounts, applications, services, etc., [CPG 2C]; and
o Does not allow service accounts/machine accounts to reuse passwords from member user accounts.
• Configure Group Policy settings to prevent web browsers from saving passwords and disable autofill functions.
• Disable the storage of clear text passwords in LSASS memory.
Secure Accounts
• Implement phishing-resistant MFA for access to assets [CPG 2H].
• Separate user and privileged accounts.
o User accounts should never have administrator or super-user privileges [CPG 2E].
o Administrators should never use administrator accounts for actions and activities not associated with the administrator role (e.g., checking email, web browsing).
• Enforce the principle of least privilege.
o Ensure administrator accounts only have the minimum permissions necessary to complete their tasks.
o Review account permissions for default/accounts for edge appliances/devices and remove domain administrator privileges, if identified.
o Significantly limit the number of users with elevated privileges. Implement continuous monitoring for changes in group membership, especially in privileged groups, to detect and respond to unauthorized modifications.
o Remove accounts from high-privilege groups like Enterprise Admins and Schema Admins. Temporarily reinstate these privileges only when necessary and under strict auditing to reduce the risk of privilege abuse.
o Transition to Group Managed Service Accounts (gMSAs) where suitable for enhanced management and security of service account credentials. gMSAs provide automated password management and simplified Service Principal Name (SPN) management, enhancing security over traditional service accounts. See Microsoft’s Group Managed Service Accounts Overview.
• Enforce strict policies via Group Policy and User Rights Assignments to limit high-privilege service accounts.
• Consider using a privileged access management (PAM) solution to manage access to privileged accounts and resources [CPG 2L]. PAM solutions can also log and alert usage to detect any unusual activity.
• Complement the PAM solution with role-based access control (RBAC) for tailored access based on job requirements. This ensures that elevated access is granted only when required and for a limited duration, minimizing the window of opportunity for abuse or exploitation of privileged credentials.
• Implement an Active Directory tiering model to segregate administrative accounts based on their access level and associated risk. This approach reduces the potential impact of a compromised account. See Microsoft’s PAM environment tier model.
• Harden administrative workstations to only permit administrative activities from workstations appropriately hardened based on the administrative tier. See Microsoft’s Why are privileged access devices important - Privileged access.
• Disable all user accounts and access to organizational resources of employees on the day of their departure [CPG 2G]
• Regularly audit all user, admin, and service accounts and remove or disable unused or unneeded accounts as applicable.
• Regularly roll NTLM hashes of accounts that support token-based authentication.
• Improve management of hybrid (cloud and on-premises) identity federation by:
o Using cloud only administrators that are asynchronous with on-premises environments and ensuring on-premises administrators are asynchronous to the cloud.
o Using CISA’s SCuBAGear tool to discover cloud misconfigurations in Microsoft cloud tenants. SCuBA gear is automation script for comparing Federal Civilian Executive Branch (FCEB) agency tenant configurations against CISA M365 baseline recommendations. SCuBAGear is part of CISA’s Secure Cloud Business Applications (SCuBA) project, which provides guidance for FCEB agencies, securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. For more information on SCuBAGear see CISA’s Secure Cloud Business Applications (SCuBA) Project.
o Using endpoint detection and response capabilities to actively defend on-premises federation servers.
Secure Remote Access Services
• Limit the use of RDP and other remote desktop services. If RDP is necessary, apply best practices, including auditing the network for systems using RDP, closing unused RDP ports, and logging RDP login attempts.
• Disable Server Message Block (SMB) protocol version 1 and upgrade to version 3 (SMBv3) after mitigating existing dependencies (on existing systems or applications), as they may break when disabled.
• Harden SMBv3 by implementing guidance included in joint #StopRansomware Guide (see page 8 of the guide).
• Apply mitigations from the joint Guide to Securing Remote Access Software.
Secure Sensitive Data
• Securely store sensitive data (including operational technology documentation, network diagrams, etc.), ensuring that only authenticated and authorized users can access the data.
Implement Network Segmentation
• Ensure that sensitive accounts use their administrator credentials only on hardened, secure computers. This practice can reduce lateral movement exposure within networks.
• Conduct comprehensive trust assessments to identify business-critical trusts and apply necessary controls to prevent unauthorized cross-forest/domain traversal.
• Harden federated authentication by enabling Secure Identifier (SID) Filtering and Selective Authentication on AD trust relationships to further restrict unauthorized access across domain boundaries.
• Implement network segmentation to isolate federation servers from other systems and limit allowed traffic to systems and protocols that require access in accordance with Zero Trust principles.
Secure Cloud Assets
• Harden cloud assets in accordance with vendor-provided or industry standard hardening guidance.
o Organizations with Microsoft cloud infrastructure, see CISA’s Microsoft 365 Security Configuration Baseline Guides, which provide minimum viable secure configuration baselines for Microsoft Defender for Office 365, Azure Active Directory (now known as Microsoft Entra ID), Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams. For additional guidance, see the Australian Signals Directorate’s Blueprint for Secure Cloud.
o Organizations with Google cloud infrastructure, see CISA’s Google Workspace Security Configuration Baseline Guides, which provide minimum viable secure configuration baselines for Groups for Business, GMAIL, Google Calendar, Google Chat, Google Common Controls, Google Classroom, Google Drive and Docs, Google Meet, and Google Sites.
• Revoke unnecessary public access to cloud environment. This involves reviewing and restricting public endpoints and ensuring that services like storage accounts, databases, and virtual machines are not publicly accessible unless absolutely necessary. Disable legacy authentication protocols across all cloud services and platforms. Legacy protocols frequently lack support for advanced security mechanisms such as multifactor authentication, rendering them susceptible to compromises. Instead, enforce the use of modern authentication protocols that support stronger security features like MFA, token-based authentication, and adaptive authentication measures. o Enforce this practice through the use of Conditional Access Policies. These policies can initially be run in report-only mode to identify potential impacts and plan mitigations before fully enforcing them. This approach allows organizations to systematically control access to their cloud resources, significantly reducing the risk of unauthorized access and potential compromise.
• Regularly monitor and audit privileged cloud-based accounts, including service accounts, which are frequently abused to enable broad cloud resource access and persistence.
Be Prepared
• Ensure logging is turned on for application, access, and security logs (e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and VPNs) [CPG 2T]. Given Volt Typhoon’s use of LOTL techniques and their significant dwell time, application event logs may be a valuable resource to hunt for Volt Typhoon activity because these logs typically remain on endpoints for relatively long periods of time.
o For OT assets where logs are non-standard or not available, collect network traffic and communications between those assets and other assets.
o Implement file integrity monitoring (FIM) tools to detect unauthorized changes.
• Store logs in a central system, such as a security information and event management (SIEM) tool or central database.
o Ensure the logs can only be accessed or modified by authorized and authenticated users [CPG 2U].
o Store logs for a period informed by risk or pertinent regulatory guidelines. (CISA recommends storing logs for at least X years, given Volt Typhoon’s long dwell time.)
o Tune log alerting to reduce noise while ensuring there are alerts for high-risk activities. (For information on alert tuning, see joint guide Identifying and Mitigating Living Off the Land Techniques.)
• Establish and continuously maintain a baseline of installed tools and software, account behavior, and network traffic. This way, network defenders can identify potential outliers, which may indicate malicious activity. Note: For information on establishing a baseline, see joint guide Identifying and Mitigating Living off the Land Techniques.
• Document a list of threats and cyber actor TTPs relevant to your organization (e.g., based on industry or sectors), and maintain the ability (such as via rules, alerting, or commercial prevention and detection systems) to detect instances of those key threats [CPG 3A].
• Implement periodic training for all employees and contractors that covers basic security concepts (such as phishing, business email compromise, basic operational security, password security, etc.), as well as fostering an internal culture of security and cyber awareness [CPG 2I].
o Tailor the training to network IT personnel/administrators and other key staff based on relevant organizational cyber threats and TTPs, such as Volt Typhoon. For example, communicate that Volt Typhoon actors are known to target personal email accounts of IT staff, and encourage staff to protect their personal email accounts by using strong passwords and implementing MFA. o In addition to basic cybersecurity training, ensure personnel who maintain or secure OT as part of their regular duties receive OT-specific cybersecurity training on at least an annual basis [
CPG 2J].
o Educate users about the risks associated with storing unprotected passwords.
OT Administrators and Defenders
• Change default passwords [CPG 2A] and ensure they meet the policy requirements for complexity. If the asset’s password cannot be changed, implement compensating controls for the device; for example, segment the device into separate enclaves and implement increased monitoring and logging.
• Require that passwords for all OT password-protected assets be at least 15 characters, when technically feasible. In instances where minimum passwords lengths are not technically feasible (for example, assets in remote locations), apply compensating controls, record the controls, and log all login attempts. [CPG 2B].
• Enforce strict access policies for accessing OT networks. Develop strict operating procedures for OT operators that details secure configuration and usage.
• Segment OT assets from IT environments by [CPG 2F]:
o Denying all connections to the OT network by default unless explicitly allowed (e.g., by IP address and port) for specific system functionality.
o Requiring necessary communications paths between IT and OT networks to pass through an intermediary, such as a properly configured firewall, bastion host, “jump box,” or a demilitarized zone (DMZ), which is closely monitored, captures network logs, and only allows connections from approved assets.
• Closely monitor all connections into OT networks for misuse, anomalous activity, or OT protocols.
• Monitor for unauthorized controller change attempts. Implement integrity checks of controller process logic against a known good baseline. Ensure process controllers are prevented from remaining in remote program mode while in operation if possible.
• Lock or limit set points in control processes to reduce the consequences of unauthorized controller access.
• Be prepared by:
o Determining your critical operational processes’ reliance on key IT infrastructure:
Maintain and regularly update an inventory of all organizational OT assets.
Understand and evaluate cyber risk on “as-operated” OT assets.
Create an accurate “as-operated” OT network map and identify OT and IT network inter-dependencies.
o Identifying a resilience plan that addresses how to operate if you lose access to or control of the IT and/or OT environment.
Plan for how to continue operations if a control system is malfunctioning, inoperative, or actively acting contrary to the safe and reliable operation of the process.
Develop workarounds or manual controls to ensure ICS networks can be isolated if the connection to a compromised IT environment creates risk to the safe and reliable operation of OT processes.
o Create and regularly exercise an incident response plan.
Regularly test manual controls so that critical functions can be kept running if OT networks need to be taken offline.
o Implement regular data backup procedures on OT networks.
Regularly test backup procedures.
• Follow risk-informed guidance in the joint advisory NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems, the NSA advisory Stop Malicious Cyber Activity Against Connected Operational Technology.
CONTACT INFORMATION
US organizations: To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact:
• CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
• For NSA client requirements or general cybersecurity inquiries, contact [email protected].
• Water and Wastewater Systems Sector organizations, contact the EPA Water Infrastructure and Cyber Resilience Division at [email protected] to voluntarily provide situational awareness.
• Entities required to report incidents to DOE should follow established reporting requirements, as appropriate. For other energy sector inquiries, contact [email protected].
• For transportation entities regulated by TSA, report to CISA Central in accordance with the requirements found in applicable Security Directives, Security Programs, or TSA Order.
Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations: Report incidents by emailing CCCS at [email protected].
New Zealand organizations: Report cyber security incidents to [email protected] or call 04 498 7654.
United Kingdom organizations: Report a significant cyber security incident products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.
ACKNOWLEDGEMENTS
Fortinet and Microsoft contributed to this advisory.
VERSION HISTORY
February 7, 2024: Initial Version.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
1. Select an ATT&CK technique described in this advisory (see Table 5 through Table 17).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
REFERENCES
[1] fofa
[2] Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
[3] GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet
[4] GitHub - sandialabs/gait: Zeek Extension to Collect Metadata for Profiling of Endpoints and Proxies
[5] The Zeek Network Security Monitor
RESOURCES
Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
Secureworks: Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities,
Full IOCs in JSON:
{
"type": "bundle",
"id": "bundle--3147edae-b574-4717-9809-4022e5236b1a",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771",
"created": "2023-08-11T15:46:15.983Z",
"extensions": {
"extension-definition--3a65884d-005a-4290-8335-cb2d778a83ce": {
"access_privilege": [
{
"privilege_action": "CISAUSES",
"privilege_scope": {
"entity": [
"ALL"
],
"permitted_nationalities": [
"ALL"
],
"permitted_organizations": [
"ALL"
],
"shareability": [
"ALL"
]
},
"rule_effect": "permit"
}
],
"authority_reference": [
"urn:isa:authority:ais"
],
"control_set": {
"classification": "U",
"formal_determination": [
"INFORMATION-DIRECTLY-RELATED-TO-CYBERSECURITY-THREAT",
"PUBREL"
]
},
"create_date_time": "2023-08-11T15:46:15.983Z",
"extension_type": "property-extension",
"further_sharing": [
{
"sharing_scope": [
"USA.USG"
],
"rule_effect": "permit"
}
],
"identifier": "isa:guide.19001.GEMINI-a9bdb603-7f4f-44c6-acb0-d47f614e64b2",
"policy_reference": "urn:isa:policy:acs:ns:v3.0?privdefault=deny&sharedefault=deny",
"responsible_entity_custodian": "USA.DHS.CISA.CSD.TH.CMA",
"responsible_entity_originator": "USA.DHS.CISA.CSD.TH.CMA"
}
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created_by_ref": "identity--42ac3c92-60d2-418f-ba8e-838944e6110b",
"created": "2023-04-12T17:53:09.646Z",
"modified": "2023-04-12T17:53:09.646Z",
"name": "GeminiProduction_CMA",
"description": "Cybersecurity and Infrastructure Security Agency Production Identity. Code and Media Analysis.",
"identity_class": "system",
"confidence": 100,
"lang": "en",
"object_marking_refs": [
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--6f60abb6-c78c-5fa5-8275-08ed20ad058f",
"hashes": {
"MD5": "fd41134e8ead1c18ccad27c62a260aa6",
"SHA-1": "04423659f175a6878b26ac7d6b6e47c6fd9194d1",
"SHA-256": "edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70",
"SHA-512": "df55591e730884470afba688e17c83fafb157ecf94c9f10a20e21f229434ea58b59f8eb771f8f9e29993f43f4969fe66dd913128822b534c9b1a677453dbb93c",
"SSDEEP": "49152:99z0w/qP1dKPzeietmd64H9QaIG0aYkn0GzkWVISaJUET6qyxASuOszP7hn+S6wB:v0R9dKSiekd68ZIQ0obVI9UG6qyuhF6"
},
"size": 2840064,
"name": "BrightmetricAgent.exe",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
]
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--c577e744-04a1-49d3-b636-4ff7d836bb6b",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "adaware",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Generic.Trojan.Volt.Marte.A.05F91E9C",
"result": "unknown",
"sample_ref": "file--6f60abb6-c78c-5fa5-8275-08ed20ad058f"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--57df436c-ff51-45e7-9455-2dcf69685336",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "antiy",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "GrayWare/Win32.Kryptik.ffp",
"result": "unknown",
"sample_ref": "file--6f60abb6-c78c-5fa5-8275-08ed20ad058f"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--92c4b747-2167-4c2f-a023-1f7a46868668",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "bitdefender",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Generic.Trojan.Volt.Marte.A.05F91E9C",
"result": "unknown",
"sample_ref": "file--6f60abb6-c78c-5fa5-8275-08ed20ad058f"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--4ed8abe7-b4cd-4523-a0e3-433a90d94e3d",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "eset",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "a variant of WinGo/HackTool.Agent.Y trojan",
"result": "unknown",
"sample_ref": "file--6f60abb6-c78c-5fa5-8275-08ed20ad058f"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--4d173e26-37d0-4c55-94ce-1dd701d5957d",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "emsisoft",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Generic.Trojan.Volt.Marte.A.05F91E9C (B)",
"result": "unknown",
"sample_ref": "file--6f60abb6-c78c-5fa5-8275-08ed20ad058f"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--efd0ed4a-c9fe-47c9-9c2b-aa676e676ae0",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "ikarus",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Trojan.WinGo.Rozena",
"result": "unknown",
"sample_ref": "file--6f60abb6-c78c-5fa5-8275-08ed20ad058f"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--28c48841-d813-4522-baa8-4021ebe3dacc",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "microsoftdefender",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Malware",
"result": "unknown",
"sample_ref": "file--6f60abb6-c78c-5fa5-8275-08ed20ad058f"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--9e9777f4-44db-4db2-8a64-11fa9670f67f",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "sophos",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "App/FRProxy-F",
"result": "unknown",
"sample_ref": "file--6f60abb6-c78c-5fa5-8275-08ed20ad058f"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--967dd29b-dc96-43e2-9869-2ff448474a9e",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "varist",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "W64/Agent.FXW.gen!Eldorado",
"result": "unknown",
"sample_ref": "file--6f60abb6-c78c-5fa5-8275-08ed20ad058f"
},
{
"type": "malware",
"spec_version": "2.1",
"id": "malware--664d9112-90fe-4d52-b07b-105daad69618",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"description": "This artifact is a cross platform full featured FRP that is written in GO language (Golang) and packed using Ultimate Packer for Executables (UPX). This utility can be used to locate servers behind a network firewall or obscured through NAT. It includes the KCP (no acronym) network protocol that allows for error-checked and anonymous delivery of data streams using the User Datagram Protocol (UDP) with packet level encryption support.\r\n\r\nThe program contains two different multiplexer libraries that can bi-directionally stream data over a NAT’d network. It also contains a command line interface (CLI) library that can leverage command shells such as PowerShell, Windows Management Instrumentation (WMI), and Z Shell (zsh). In addition, the utility features a unique capability that detects if the utility is executed from the command line or by double-clicking. \r\n\r\nBy default it is configured to connect to the Internet Protocol (IP) address, 203.95.8.98 on Transmission Control Protocol (TCP) port 1080. It must receive a specially formed packet from the C2 for the utility to deploy on the system.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"malware_types": [
"trojan"
],
"is_family": false,
"sample_refs": [
"file--6f60abb6-c78c-5fa5-8275-08ed20ad058f"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8a72c4d8-0846-400d-8812-6105d4f98dc4",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"name": "BrightmetricAgent.exe",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"indicator_types": [
"malicious-activity"
],
"pattern": "[file:hashes.'MD5'='fd41134e8ead1c18ccad27c62a260aa6' OR file:hashes.'SHA-1'='04423659f175a6878b26ac7d6b6e47c6fd9194d1' OR file:hashes.'SHA-256'='edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70' OR file:hashes.'SHA-512'='df55591e730884470afba688e17c83fafb157ecf94c9f10a20e21f229434ea58b59f8eb771f8f9e29993f43f4969fe66dd913128822b534c9b1a677453dbb93c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-02-02T15:11:50.14103Z"
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--2e9778d4-e97e-56dc-a8fd-fd39a8bfe9d5",
"value": "203.95.8.98",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
]
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--1e5d2e39-ec90-4553-961b-3877d97d39c4",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"content": "BrightmetricAgent.exe (edc0c63065...) attempts to connect to this IP address. The IP address hosts a proxy server.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"object_refs": [
"ipv4-addr--2e9778d4-e97e-56dc-a8fd-fd39a8bfe9d5"
]
},
{
"type": "location",
"spec_version": "2.1",
"id": "location--34610caa-9135-4875-ac37-4746088dd006",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-02-02T15:11:50.25412Z",
"modified": "2024-02-02T15:11:50.25412Z",
"name": "203.95.8.98",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"description": "Domain Name: pdsguam.biz\r\nRegistry Domain ID: D15926452-BIZ\r\nRegistrar WHOIS Server: whois.godaddy.com\r\nRegistrar URL: whois.godaddy.com\r\nUpdated Date: 2023-06-15T04:28:19Z\r\nCreation Date: 2007-01-10T00:40:37Z\r\nRegistry Expiry Date: 2024-01-09T23:59:59Z\r\nRegistrar: GoDaddy.com, LLC\r\nRegistrar IANA ID: 146\r\nRegistrar Abuse Contact Email: [email protected]\r\nRegistrar Abuse Contact Phone: +1.4806242505\r\nRegistrant Organization: Domains By Proxy, LLC\r\nRegistrant State/Province: Arizona\r\nRegistrant Country: US\r\nRegistrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.\r\nAdmin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.\r\nTech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.\r\nName Server: ns.pdsguam.biz\r\nName Server: ns2.pdsguam.biz\r\nDNSSEC: unsigned",
"region": "northern-america",
"country": "US"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c",
"hashes": {
"MD5": "3a97d9b6f17754dcd38ca7fc89caab04",
"SHA-1": "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34",
"SHA-256": "eaef901b31b5835035b75302f94fee27288ce46971c6db6221ecbea9ba7ff9d0",
"SHA-512": "d99941e4445efed5d4e407f91a9e5bba08d1be3f0dab065d1bfb4e70ab48d6526a730233d6889ba58de449f622e6a14e99dab853d40fc30a508627fd2735c973",
"SSDEEP": "384:ahXoLj9Zez0Bm4SUZa8WLLXyjSL2RtfAwj/yneIMUogQ:ahXoLhZez0m4SIabLLCmL2Rvj/yeIEg"
},
"size": 20480,
"name": "eaef901b31b5835035b75302f94fee27288ce46971c6db6221ecbea9ba7ff9d0",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
]
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--c3964dad-86fe-4235-a174-49bd49422ee7",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "adaware",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Unavailable (production)",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--6996c7b2-7f76-49d4-bb56-985101b2ce9f",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "ahnlab",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Unwanted/Win32.Foundstone",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--004e4ae2-0349-4464-b9d9-33a1cce2e8b1",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "antiy",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "HackTool[NetTool]/Win32.Portscan",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--a5cc9df5-c105-47ab-9f12-5ac694bae64d",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "bitdefender",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Unavailable (production)",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--b6e682d8-10ab-4f05-962c-7ea774f1920d",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "clamav",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Win.Trojan.Scanline-1",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--2f43287b-bb70-4d99-ab26-5adbcbbecedd",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "comodo",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "ApplicUnwnt",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--c13c10ef-1fdc-4855-8555-8fc0bade8818",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "cylance",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Malware",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--de0c9309-93b5-44a4-8f58-0f5d93079a34",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "filseclab",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Hacktool.ScanLine.a.fsff",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--a08a9f25-d8e2-41a4-bbea-86d9c217a64e",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "ikarus",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Virtool",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--ca9c3dc5-bb4f-4b7f-99db-0c653f95d415",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "mcafee",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Unavailable (production)",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--3fefb2c2-d39c-4028-8c2a-f3b8684d141b",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "microsoftdefender",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Malware",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--b565d211-a4b1-46d1-87d2-6b4364aa3636",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "nanoav",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Riskware.Win32.ScanLine.dhhus",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--2d3f9171-807d-4388-96e0-4d844fc21968",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "quickheal",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Trojan.Win32",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--a083e2ec-1f21-4a6b-bfa0-f259abbda95a",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "scrutiny",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Malware",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--2ece688f-fd0d-45b4-982e-4cf47cdfa4a0",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "sophos",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "App/ScanLn-A",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--a54e9075-ab72-4adb-a73f-703f14611e0f",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "virusblokada",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Trojan.Genome.fl",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--55967892-3008-460e-83f0-7a1f92f3c924",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "webrootsmd",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"
],
"result_name": "Unavailable (production)",
"result": "unknown",
"sample_ref": "file--70bfcb9c-8313-5dac-a096-ff7f5578721c"
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--a3040dc9-9cd9-4b96-9c55-a49587f7f9cb",
"created_by_ref": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
"created": "2024-01-16T20:09:58.000Z",
"modified": "2024-01-16T20:09:58.000Z",
"product": "zillya",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d896763f-3f6f-4917-86e8-1a4b043d9771"