Volt Typhoon: the emerging chinese cyber-espionage threat

A new Chinese state actor in the cyber warfare landscape, known as Volt Typhoon, has been recently discovered and has been active since 2020. This group of hackers has shown unprecedented operational techniques to maintain remote access to its targets. The findings come from CrowdStrike, which keeps the enemy under control by the name of Vanguard Panda. Volt Typhoon, also known as Bronze Silhouette, is a Chinese cyber-espionage group, involved in network intrusion operations against the US government, defense and other critical infrastructure organizations.

Volt Typhoon attack techniques: operational security and open-source tools

A detailed analysis of how the group operates revealed a strong emphasis on operational security, with the careful use of a large set of open-source tools against a small number of victims to perpetrate long-term malicious acts. Volt Typhoon has been described as a threat group that "favors web shells for persistence and relies on short periods of activity, primarily involving living-off-the-land binaries, to achieve its objectives."

Failed attack and the modus operandi of Vanguard Panda

In a failed incident targeting an unspecified customer, the actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server to trigger the execution of suspicious commands regarding process enumeration and process connectivity. network, among others. CrowdStrike's analysis suggests that Vanguard Panda's actions denote a familiarity with the target environment, thanks to the rapid succession of their commands, as well as the availability of specific internal hostnames and IP addresses to ping, remote shares to mount, and credentials in clear to use for WMI.

Forensic discoveries and attempted concealment of the tracks

A closer examination of Tomcat's access logs revealed several HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell masquerading as a legitimate identity security solution to evade detection. The web shell is believed to have been deployed nearly six months before the activity described, indicative of extensive preliminary reconnaissance work on the target network. While it is not immediately clear how Vanguard Panda managed to breach the ManageEngine environment, all signs point to the exploitation of CVE-2021-40539, a critical remote code execution authentication bypass flaw. Suspected of deleting artifacts and tampering with access logs to obscure the forensic path, the actor made an obvious mistake by not considering the Java source files and compiled class files generated during the attack.