Microsoft warns of Volt Typhoon, the latest attack in global cyberwarfare

Microsoft’s warning on Wednesday that the actor sponsored by China Volt Typhoon attacked US infrastructure put a lot of emphasis on presentations by experts in cyber security and international affairs, according to which the global war in cyberspace pits authoritarian regimes against democracies.

Jump:

China’s Commitment to Cyber ​​Warfare

Microsoft’s statement pointed out that Volt Typhoon – which hit organizations in the IT, communications, manufacturing, utilities, transport, construction, maritime, government and education sectors – has been following a ‘live off the land’ strategy since 2021 , which focuses on data filtering. The tactic typically uses social engineering exploits such as phishing to stealthily gain access to networks through legitimate software. It uses a Fortinet exploit to gain access and uses valid accounts to persist (Figure A).

Figure A

Nadir Izrael, chief technology officer and co-founder of security firm Armis, pointed out that China’s defense budget has grown over the years and reached its estimated value. $178 billion in 2020. “This growing investment has allowed China to build its cyber capabilities with more than 50,000 cyber soldiers and advanced cyber warfare units,” he said.

He added that China’s investment in offensive cyber capabilities has “created a global weapon in its arsenal to disrupt critical infrastructure and disrupt the lives of American citizens in nearly every sector, from communications to maritime transportation.” He said: “Cyber ​​warfare is an incredibly effective, cost-effective tool for China to disrupt the world order.”

According to Armis, he has been predicting these threats since January after finding this one 33% of global organizations do not take cyber warfare threats seriously. He urged governments and businesses in the sectors to initiate procedures to counter these threats.

“As the world becomes increasingly digital, cyber warfare will become modern warfare,” Armis said. “This is a wake-up call for the United States and Western nations.”

Speaking at the WithSecure Sphere23 conference in Helsinki, Finland, before this security news broke, Jessica Berlin, a German foreign policy analyst and founder of the consulting firm CoStruct, said that the United States, the European Union and other democracies had not woken up to Russia, China and the North Implications of Korea’s Cyber ​​Warfare. He said that these countries were engaged in a cyber world war – a war dominated by autocracies because they fully recognized and accepted it and were committed to fighting it as such.

He told TechRepublic that technology and security companies can play a key role in making citizens and governments aware of this fact by making attacks more transparent. He also noted that the European Union’s General Data Protection Regulation, which has been in effect for five years, is an effective tool for monitoring digital information, data origin and misinformation on social platforms.

The professionalization of cybercrime lowers the entry barrier

Stephen Robinson, threat intelligence analyst at WithSecure, says the cybercriminal ecosystem mirrors legitimate business, which has made it easier for state actors and less sophisticated groups to buy what they can’t produce. This the professionalization of cybercrime created a formal service sector. “Outsourcing functions, hiring freelancers, subcontracting; criminal service providers have emerged and their existence is industrialized exploitation,” said Robinson.

The success of the criminal-as-a-service model is being accelerated by frameworks like Tor anonymous data transfer and cryptocurrency, noted Robinson, who outlined some dark web service verticals.

• Initial Access Brokers: These brokers are key because they thrive on and enable the service-oriented model. They will use any method to gain access and then offer that access.
• Crypter as a service: Crypter is a tool for hiding malware. And that, Robinson said, has led to an arms race between malware and anti-malware.
• Crypto Jackers: These actors break into a network and drop software, and are often among the first to exploit a server vulnerability. According to Robinson, they represent a low threat, but very strong signals that something has happened or is about to happen.
• Malware-as-a-service: High technical standards with advanced services such as support and contracts and access to premium products.
• Nation-state actors: Nation-state actors use the above tools, which allow them to launch campaigns and reach new victims without attribution.

WithSecure has released a recent report on multi-point ransom ransomware groups which use a variety of extortion strategies, including encryption, to pressure victims into payments.

The company’s analysis of more than 3,000 data breaches showed that organizations in the United States were the most targeted victims, followed by Canada, the United Kingdom, Germany, France and Australia.

In addition, the company’s research showed that the construction industry accounted for 19% of data breaches; the automotive industry accounted for only 6% of attacks.

“In pursuit of a bigger slice of the ransomware industry’s vast revenues, ransomware groups are buying capabilities from e-crime vendors just as legitimate businesses are outsourcing functions to increase their profits,” said Robinson. “This ready supply of capabilities and information is being exploited by a growing number of cyber threat actors, from lone, low-skilled operators to nation-state APTs. Ransomware didn’t create the cybercrime industry, but it certainly added fuel to the fire.”

The company presented an example that resembled a mass looting of a department store after the door was left open. An organization was victimized by five threats, each with a different purpose and representing a different type of cybercrime service: the Monti ransomware group, the Qakbot malware-as-a-service, the 8220 crypto-jack gang, an unnamed initial access broker and a sub-group of the North Korea-linked Lazarus Group.

In these incidents, WithSecure threat intelligence reported encountering six different examples of the “as a service” model used in the observed kill chains (Figure B).

Figure B

According to the report, this professionalization trend makes the expertise and resources needed to attack organizations available to less skilled or under-resourced threat actors. The report predicts that the number of attackers and the size of the cybercrime industry are likely to grow in the coming years.

How to mitigate Volt Typhoon

In Microsoft’s report on Volt Typhoon, the company said that detecting activity using normal login channels and system binaries requires behavioral monitoring, and recovery requires closing or changing the credentials of compromised accounts. In these cases, Microsoft recommends that security operations teams investigate the activity of compromised accounts for malicious actions or data disclosures.

In order to eliminate the diversity of attacks, Microsoft recommended the following tips:

• Enforce strong multi-factor authentication policies with hardware security keys, passwordless login and password expiration rules, and deactivation of unused accounts.
• Turn on attack surface reduction rules to block or control threat-related activity.
• Enable it Protective process light for LSASS On Windows 11 devices. New Windows 11 (22 hour update) installations connected to the company have this feature enabled by default, according to the company.
• Enable it Windows Defender Credential Keeperwhich is turned on by default for organizations using the Enterprise edition of Windows 11.
• Turns on protection provided by the cloud in Microsoft Defender Antivirus.
• Run endpoint detection and response in block mode so Microsoft Defender for Endpoint can block malicious byproducts.