The primary tactics, techniques, and procedures (TTPs) of the People’s Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon has recently caught the attention of the United States and its international cybersecurity partners. The TTPs in question – Living off the Land (LOTL) – allows bad actors to “evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations,” according a recent joint Cybersecurity Advisory (CSA) from the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI, as well as their cybersecurity counterparts in Australia, New Zealand, and the United Kingdom. To aid network defenders in their hunt for this activity, the joint advisory provides examples of the actor’s commands along with detection signatures.
Increasingly, cyber actors are employing LOTL attack, which blend (and obscure) their nefarious activities with legitimate tools and infrastructure already found (and regularly used) in your environment to mask their presence while greatly minimizing their chances of detection and attribution. Typically, the introduction of a third-part application generates an alert to the host from an endpoint detection and response (EXR) product. Unfortunately, LOTL enables the actor to skirt detection more easily and effectively.
Actors who employ LOTL typically leverage "fileless" malware and memory-based attacks that adds to the difficulty of detection by leaving minimal trace of their movements because these fileless attacks do not require a bad actor to install code or scripts within the system they are targeting. By blending in with legitimate activities and evading traditional signature-based defenses, PRC actors employing LOTL ensure their operations remain covert for extended periods. In some LOTL cases, adversaries have been able to move around an organization stealthily for months and even users undetected.
To launch a fileless malware attack, hackers can modify their targets native tools (e.g., exploit kits, fileless ransomware, memory-only malware, and stolen credentials) to gain access to your environments. LOTL involves exploiting trusted software, built-in network administration tools (e.g., wmic, ntdsutil, netsh, and PowerShell), and other network resources to infiltrate target systems, gather intelligence, and maintain long-term access.
According to the joint CSA, private sector partners have reported that LOTL activity has negatively impacted networks across the critical infrastructure landscape in a range of disparate sectors. To that end, the federal and international authorities feel that Volt Typhoon “could apply the same techniques against these and other sectors worldwide,” including defense, transportation, and finance. Like other PRC-backed Advanced Persistent Threat (APT) groups, Volt Typhoon is likely motivated by a host of things, including intelligence gathering, economic espionage, political influence, and even disruption of critical infrastructures in rival nations.
To stay one step ahead of these well-funded, highly organized, state-funded attackers, companies, organizations, sectors, and ally nations must rely on some proven cybersecurity measures. The joint advisory is an excellent example of one such technique: robust threat intelligence, reporting, and information sharing. Cybersecurity is a team sport and the more accurate intelligence and actionable information that the “good guys” can share, the better (and safer) all of us will be.
At an organizational level, it’s critical to ensure you have strong and tested endpoint protection and advanced detection technologies in place to help your analysts identify, root out, and mitigate the easily masked LOTL TTPs.
There are four activities we highly recommend that your technology and security team prioritize in light of recent events. These activities will help protect and defend against this type of attack and future ones.
Additionally, if you aren’t already, it’s imperative to implement and leverage strategies that will make LOTL attacks more difficult, including:
Embrace a proactive and diligent approach to network security, implementing these recommended practices to enhance resilience against emerging threats.
Implementing these concise recommendations will contribute to the fortification of your network infrastructure and enhance your ability to mitigate security risks effectively. Finally, as with any other evolving cybersecurity threat, organizations must continue to regularly conduct cybersecurity assessments, train all employees in identifying suspicious cybersecurity activities, and maintain the latest, most up-to-date software and patches.
LOTL attacks, as we have mentioned, are very difficult to detect, mitigate against, and recover from given the inherently stealthy nature of these types of fileless techniques. Fortalice stands ready to help you and your organization protect against these insidious attacks. Our team is here to help you continue to create operational efficiencies for your employees without providing would-be attackers with additional vectors to launch successful LOTL attacks. To that end, our team can, among other things:
If you need additional assistance, the Fortalice team stands ready to assist you in assessing your current risk and road mapping your organization’s future cybersecurity posture.
You can reach the Fortalice team at watchmen@fortalicesolutions.com
US: 877.487.8160
watchmen@fortalicesolutions.com
EMEA: 0800.824.7030
emea@fortalicesolutions.co.uk
