China’s ‘Volt Typhoon’ APT: Analyzing the Expanding Threat Landscape

Chinese State-Backed APT Volt Typhoon Exploits Zoho’s ManageEngine ADSelfService Plus Vulnerability

The recently discovered advanced persistent threat (APT) known as “Volt Typhoon,” or “Vanguard Panda,” has been found to be utilizing a critical vulnerability in Zoho’s ManageEngine ADSelfService Plus, a single sign-on and password management solution. This state-backed APT was initially brought to public attention through joint reports from Microsoft and various government agencies. The reports highlighted Volt Typhoon’s infiltration of critical infrastructure in the Pacific region, with a possible intention to establish a beachhead in the event of a conflict with Taiwan.

Volt Typhoon’s Tactics and Techniques

The reports disclosed several tactics, techniques, and procedures (TTPs) employed by Volt Typhoon. The group initially gained entry through internet-exposed Fortinet FortiGuard devices and proceeded to conceal its network activity using compromised routers, firewalls, and VPN hardware. However, a recent campaign revealed by CrowdStrike suggests that Volt Typhoon has the capability to adapt its tactics based on extensive reconnaissance. In this instance, the group exploited a vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, disguising its web shell as a legitimate process and erasing activity logs as it operated.

This previously undisclosed method gave Volt Typhoon “pervasive access to the victim’s environment for an extended period,” states Tom Etheridge, the chief global professional services officer for CrowdStrike. The exact location and profile of the victim were not disclosed, but Etheridge notes that the attackers demonstrated familiarity with the targeted infrastructure and diligently covered their tracks.

Suspicious Activity and Undetected Webshell

CrowdStrike researchers became alert to suspicious activity from an unidentified client’s network, indicating extensive information-gathering and familiarity with the target environment. Following an investigation, it was discovered that Volt Typhoon had deployed a webshell in the network six months prior, remaining undetected.

The initial access for the attackers was facilitated through the exploitation of a critical (9.8 CVSS score) remote code execution vulnerability (CVE-2021-40539) in ADSelfService Plus. ManageEngine software, including ADSelfService Plus, has been frequently exposed to critical vulnerabilities in recent years. The attackers further concealed their presence by masquerading the webshell as a legitimate file, setting its title to match ManageEngine ADSelfService Plus and incorporating links to genuine help desk software.

To progress in the compromised network, the group acquired administrator credentials and moved laterally. This time, they employed a manual effort to cover their tracks, extensively deleting log files and removing unnecessary files from disk. However, they neglected to erase Java source code and compiled Class files from the targeted Apache Tomcat Web server, which served as a crucial clue in unveiling their activity.

Defense Strategies Against Volt Typhoon

Volt Typhoon has primarily targeted organizations in sectors such as communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. However, the group is notably focused on critical infrastructure in the United States and Guam, which plays a crucial role in the defense of Taiwan against China.

According to Etheridge, the principles observed in this case study can also be applied to defending critical infrastructure. He highlights the significance of identity management as a major challenge for organizations. The rise in stolen credential advertisements underscores the importance of protecting and managing identities, as Volt Typhoon’s success relied on leveraging stolen credentials to remain undetected for an extended period.

Etheridge also emphasizes the essential role of threat hunting and incident response in mitigating the consequences of such attacks. While it may be challenging to entirely prevent nation-state threat actors, organizations can be better prepared to respond and take corrective action swiftly if they can detect ongoing threats and respond effectively.

Conclusion

The discovery of the Chinese state-backed APT Volt Typhoon and its exploitation of Zoho’s ManageEngine ADSelfService Plus vulnerability underscores the evolving and persistent threats faced in the realm of cybersecurity. This case serves as a reminder that state-sponsored threat actors possess sophisticated capabilities and continue to adapt their tactics to remain undetected.

Organizations must remain vigilant and prioritize measures such as identity management, threat hunting, and incident response. Proactive and robust defense strategies are crucial to safeguarding critical infrastructure and mitigating potential consequences. Additionally, cooperation between technology vendors, government agencies, and cybersecurity firms is vital in staying ahead of emerging threats and collectively addressing cybersecurity challenges.