Read Ordr Security Bulletin on Volt Typhoon Advisory Read more here!

Authors: Pandian G, Gowri Sunder Ravi, Srinivas Loke

Summary of Advisory from FBI/CISA

Actors with malicious intentions, particularly the People’s Republic of China-backed Volt Typhoon group, are manipulating small office/home office (SOHO) routers by exploiting software vulnerabilities that manufacturers need to address through secure software engineering.  

More specifically, the Volt Typhoon actors are utilizing security flaws in SOHO routers as springboards to further infiltrate U.S. critical infrastructure entities. The Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued this warning due to recent and ongoing threat activities.  

The FBI & CISA urge SOHO router manufacturers to incorporate security features into their products from the start, and encourage all SOHO router users to demand higher security standards from the outset. 

“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harmto American citizens and communities in the event of conflict,” said FBI Director Christopher Wray. “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. 

One of the main vulnerabilities that Volt Typhoon has exploited is found in Cisco and NetGear routers.  These routers were used by the group to route their network traffic, thus enhancing the stealth of their operations and lowering overhead costs for acquiring infrastructure. 

Information about Volt Typhoon: (Also tracked as Insidious Taurus) 

  • Volt Typhoon is a state-sponsored actor based in China, known for its espionage and information-gathering activities. It has been active since mid-2021 and has targeted critical infrastructure organizations in the United States, spanning various sectors, including communications, manufacturing, utility, transportation, construction, maritime, government, IT, and education. 
  • Volt Typhoon employs a variety of tactics, techniques, and procedures (TTPs) to achieve its objectives. One of their primary strategies is the use of “living-off-the-land” techniques, which involve using built-in network administration tools to perform their objectives. This strategy allows the actor to evade detection by blending in with normal Windows system and network activities, avoiding alerts from endpoint detection and response (EDR) products, and limiting the amount of activity captured in default logging configurations. 
  • They also try to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. 
  • Mitigation strategies against Volt Typhoon include identifying and examining the activity of compromised accounts, closing or changing credentials for compromised accounts, and implementing behavioral monitoring to detect activity that uses normal sign-in channels and system binaries. 
  • Of importance is the “KV-Botnet,” revealed in a report from Lumen’s Black Lotus Labs, is designed to infect end of life small-office home-office (SOHO) network devices developed by at least, but not limited to, four different vendors. It comes built with a series of stealth mechanisms and the ability to spread further into local area networks (LANs). Microsoft has confirmed that many of the devices include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel.
  • Since at least February 2022, KV-Botnet has primarily infected SOHO routers like the Cisco RV320, DrayTek Vigor, and Netgear ProSafe product lines. As of mid-November, it expanded to exploit IP cameras developed by Axis Communications. 
  • Microsoft assesses the “Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

Banned Manufacturers  

Section 889 of the National Defense Authorization Act (NDAA) prohibits the use of federal funds to buy certain telecommunications equipment or services from specific manufacturers. These manufacturers include: 

  • Huawei Technologies Company 
  • Hytera Communications Corporation 
  • ZTE Corporation 
  • Hangzhou Hikvision Technology Company 
  • Dahua Technology Company 
  • Any subsidiary or affiliate of these companies  

Section 889 also prohibits the government from contracting with any entity that uses certain telecommunications equipment or services produced by these manufacturers. This prohibition applies to all purchases, regardless of the size of the contract or order. 

How Ordr helps

See

  • Ordr automatically discovers and classifies and profiles all devices based on the manufacturer, make, and model.Device details
  • For this attack Ordr discovers the devices known to be impacted, including those from manufacturers like Axis, Netgear, Dray Tek, D-Link, Zyxel. These devices are automatically tagged and can be easily tracked in the system.

Ordr system tags

system tags

 

  • Ordr identifies and highlights Small Office / Home Offices devices in our customer environment mentioned in the advisories and produces a device download csv/xlsx report from the reports tab for customers to easily download in addition to the ability to lookup devices directly from the tag section. 

Note: Recommendations from federal agencies – Federal agencies recommend that internet-facing SOHO devices be up to date and follow guidelines mentioned in advisories from government agencies. 

Know 

  • In real-time, Ordr ‘s external IP/IOC tracks every communication to prohibited IP/URLs. 
  • Ordr provides in depth insights into category traffic analysis that highlights the communication patterns between devices and external entities, making it easier to see devices communicating to list of prohibited countries including China. 

classification

 

  • Ordr uses a cloud-based threat intelligence platform where the list is continuously updated, and all communications are marked accordingly in the Ordr Security Threat Card.  
  • Ordr has an IDS engine that can detect attacks originating from Volt Typhoon and generate alerts based on analysis of packets transacting over the wire. 
  • IDS Rule: Ordr’s network data collectors process packets for Deep packet inspection and at the same time checks for signatures and this rule that detects presence of Volt Typhoon User Agent and generates a high severity alarm.                             
  • Ordr also provides the capability to baseline all the communications based on profile, location, business function, or any customized entity using our AI/ML techniques. Ordr can trigger anomalies based on any deviations observed for this traffic. 

Flow Genome

Secure  

  • Ordr enables segmentation of impacted devices and limiting access to only must-have communications based on Zero Trust policies.

     

Other helpful Links: 

  1. Living off the Land https://www.crowdstrike.com/cybersecurity-101/living-off-the-land-attacks-lotl/ 
  2. CISA SOHO Device Manufacturer Alert https://www.cisa.gov/sites/default/files/2024-01/SbD-Alert-Security-Design-Improvements-for-SOHO-Device-Manufacturers.pdf
  3. Volt Typhoon Attack https://www.darkreading.com/cloud-security/volt-typhoon-soho-botnet-infects-us-govt-entities 
  4. Router Investigation https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/ 
  5. Detailed report by Security Scorecard https://www.securityweek.com/wp-content/uploads/2024/01/Volt-Typhoon.pdf 
  6. Joint Cybersecurity Advisory https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
  7. Microsoft Blog https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ 
  8. CISA Director Statement https://www.cisa.gov/news-events/news/opening-statement-cisa-director-jen-easterly 

 


In testimony before the House Select Committee on the Chinese Communist Party yesterday, FBI Director Christopher Wray delivered an ominous message:

China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”

That statement strongly implies that the assets (including IT, IT, OT, and cyber physical systems) on which American power grid, water treatment, healthcare, pipeline, transportation and logistics, telecommunications, and other critical infrastructure operations depend have already been compromised by state sponsored or sanctioned threat actors.

A likely Chinese cyberattack will “wreak havoc and cause real-world harm to American citizens and communities.”

The risk, Wray emphasized, was not hypothetical, but real; not a matter of if, but when. And when the attack comes, he said it would be at a moment of China’s choosing.

Wake Up Call

Wray also expressed frustration that these threats to U.S. critical infrastructure have not gotten the attention they require, and he made it clear to the Committee that they and the nation need to do more.  “China’s multi-pronged assault on our national and economic security make it the defining threat of our generation,” he warned.

Offering some reassurance, Wray said that the U.S. was not incapable of defending against the Chinese cyberthreat, but that the public and private organizations responsible for managing our economic and critical infrastructure “cannot afford to sleep on this danger.”

In other words, his testimony was a wake-up call.

How You Can Respond

Ordr’s customers can take immediate action to check for, respond to, and mitigate security gaps and indicators of compromise that might otherwise be exploited by threat actors. You have a powerful tool available and can use our See, Know, Secure framework to guide your cybersecurity strategy and execution. 

  1. See every asset and manage exposure: The good news is that our platform has already discovered, profiled, and is monitoring your entire cyber asset attack surface. That includes every asset–IT, OT, IoT, and cyber physical systems–operating on your network, along with their installed software and applications, and their communication flows. Using Ordr you can ensure that you’re identifying and mitigating risks such as devices with vulnerabilities, running outdated operating systems, or using weak/default/no passwords.
  2. Know your threats and anomalies: We view active threats in three ways. First, known threats will be detected by our integrated intrusion detection system and threat intelligence feeds. (Note: our IDS signatures today can detect the KV botnet malware referenced by Director Wray). Second, we detect risky communications, such as internal east-west traffic, and external traffic to unknown or hostile domains. Finally, we also alert on any activity by any device that strays outside of its expected baseline parameters. Security teams should use Ordr risk scores to prioritize remediation of the top threats in their networks. Risk scores can be customized based on asset and business attributes important to the organization.
  3. Secure and segment: You should review your network segmentation policies to make sure you can isolate mission-critical assets and make it harder for threat actors to get to them in the event of an attack. Zero Trust segmentation, where you are limiting vulnerable devices (such as those with outdated operating systems) to baseline communications, can enable appropriate access while limiting risky exposure. You can also automate responses when a threat is present, double-check the asset context to determine the best possible enforcement point (firewalls, NACs, or switches), and make sure responses and policies are requisite to the threat.

Keep in mind that, while the FBI director named several examples of critical infrastructure under threat, the list was not exhaustive. Healthcare, financial services, manufacturing, and other industries can all be defined as critical infrastructure. And any organization that is part of the digital supply chain to those targets also poses a threat.

How Ordr is Responding

It is important to know that we are not sitting still. Our policy is one of continuous improvement, and we are monitoring this and other threats to ensure our customers are prepared, developing and updating features that help our customers simplify risk prioritization, and rapidly respond to and contain threats. Our threat intelligence integrations, in concert with the Ordr Data Lake, ensure the most precise, real-time analysis possible are at work on your behalf.

For example, the rogue devices, malicious communications, and malware our customers have detected and remediated mean their environments are already better protected against potential cyberattacks. One customer–a critical infrastructure operator–was able to reduce dwell time from the industry average of 16 days to just a few minutes. 

We also continue to monitor our systems and processes, ensuring they comply with SOC2 standards. As outlined in a previous blog, Ordr’s achievement of SOC 2 compliance in Organizational Governance and Structure underscores our enduring commitment to security. 

We are all in this together

The FBI’s warning should not come as a surprise to cybersecurity professionals who have been paying attention. Threat actors have been actively targeting economic and infrastructure targets for years. And whether or not the scenario Director Wray described in his testimony comes to pass, we can expect attacks from other hostile players to persist. Cybercriminals have shown a propensity for carrying out their business with callous unconcern for the consequences of their actions.

As such, we should use this moment to remind those around us that security is everybody’s job. Be wary of every email, every online interaction, every unexpected behavior in your network. Our commitment to you is that we will continue to work diligently to ensure the Ordr platform is always vigilant, ready, and able to keep your enterprise as secure as it can be. Do not hesitate to reach out to us if you have any questions about this or other cyberthreats to your organization.