Volt Typhoon has been active since at least 2021 and primarily targets U.S government and defense organizations for intelligence-gathering purposes. The group exploits vulnerable internet-facing servers to gain initial access and leverage living off the land binaries (LOLBin) for evasion purposes.
In February 2024, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) released a security advisory to provide information regarding the malicious campaign and mitigation process.
Based on the tactics techniques and procedures (TTPs) of Volt Typhoon, the initial access of the threat actor is by exploiting common vulnerabilities in public facing network assets such as Fortinet, Ivanti Connect Secure, Citrix, and Cisco. One of the observed vulnerabilities exploited was CVE-2022-42475 to gain initial access to their victims.
Through the CERT-PH Web Information Gathering System, we still observed assets that are more likely vulnerable to CVE-2022-42475 here in the Philippines. Kindly take note the data on the image below are based on the autonomous system number (ASN) of the assets observed and filtered by this 3rd quarter of the year.
CVE-2022-42475
Another notable vulnerability in Fortinet products, tracked as CVE-2023-27997, has been observed being exploited in the wild. Although Fortinet clarified that the exploitation of this vulnerability is not linked to the Volt Typhoon campaign, it is expected that threat actors will continue to exploit unpatched vulnerabilities in widely used software and devices.
CVE-2023-27997
In August 2024, security researchers from Lumen Technologies discovered an active exploitation of a Zero-day vulnerability in Versa Director that has been attributed to Volt Typhoon. Tracked as CVE-2024-39717, this vulnerability can allow potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges. Versa Director servers are often used by internet service providers (ISPs) and managed service providers (MSPs).
________________________________________________________
A. Tactics, Techniques, and Procedures (TTPs)
For the TTPs used by the Volt Typhoon that is mapped to MITRE ATT&CK, here’s the link:
- https://attack.mitre.org/groups/G1017/
- https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fgroups%2FG1017%2FG1017-enterprise-layer.json
________________________________________________________
B. Indicators of Compromise
| IP Address | 104.161.54.203 |
| IP Address | 109.166.39.139 |
| IP Address | 23.227.198.247 |
| SHA-256 | 3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f |
| SHA-256 | 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71 |
| SHA-256 | 41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597 |
| SHA-256 | 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d |
| SHA-256 | 66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7 |
| SHA-256 | c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99 |
| SHA-256 | d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca |
| SHA-256 | ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484 |
| SHA-256 | ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31 |
| SHA-256 | f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd |
| SHA-256 | fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15 |
| SHA-256 | 99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1 |
| SHA-256 | edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70 |
| SHA-256 | 389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61 |
| SHA-256 | 450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267 |
| SHA-256 | 4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349 |
| SHA-256 | 6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff |
| SHA-256 | 7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5 |
| SHA-256 | 8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2 |
| SHA-256 | 9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a |
| SHA-256 | b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74 |
| SHA-256 | baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c |
| SHA-256 | c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b |
| SHA-256 | cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984 |
| SHA-256 | d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295 |
________________________________________________________
C. References
- https://attack.mitre.org/groups/G1017/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign
- https://lolbas-project.github.io/