CISA Advisory

The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon.

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

Adversarial Tactics, Recommended Mitigations,And QSEC Mesh Networks for Defense Against State-Sponsored Cyber Attacks

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

  • Adversarial Tactics
    • The actor exploits vulnerabilities in widely used software, including ManageEngine ADSelfService Plus and FatPipe WARP, IPVPN, MPVPN..
    • The actor uses webshells for persistence and exfiltration, with some of the webshells derived from the Awen webshell.
    • The actor uses compromised Small-Office Home-Office (SOHO) devices (e.g., routers) to obfuscate the source of the activity.
    • The actor uses built-in network administration tools for discovery, lateral movement, and collection activities. These tools include certutil, dnscmd, ldifde, makecab, net user/group/use, netsh, nltest, ntdsutil, PowerShell, req query/save, systeminfo, tasklist, wevtutil, wmic, and xcopy.
    • The actor selectively clears Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.
    • The actor uses open-source "hacktools" tools, such as Fast Reverse Proxy (frp), Impacket, Mimikatz.exe, and Remote administration tools
  • Recommended Mitigations
    • Enable logging on edge devices, including system logs, to identify potential exploitation and lateral movements
    • Enable network-level logging, such as sysmon, webserver, middleware, and network device logs.
    • Be aware of the common types of compromised SOHO devices and the common CVEs for these devices. The most common types include ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices.
    • Be aware of the common vulnerabilities exploited by the actor and the mitigation guidance provided in the joint Cybersecurity Advisory, “Top CVEs Actively Exploited by People’s Republic of China State-Sponsored Cyber Actors”
  • QSEC Mesh Networks for Defense Against State-Sponsored Cyber Attacks
    • End-to-End Encryption: QSEC provides strong encryption with public keys, ensuring that data transmitted over the network is secure. This would prevent an attacker from gaining access to unencrypted data.
    • Peer-to-Peer Connections: In a mesh network, devices connect directly to each other, reducing the need for central servers that can be targeted by attackers.
    • Reduced Attack Surface: QSEC is designed with a minimalistic approach, resulting in less code and subsequently, a smaller attack surface. This makes it harder for attackers to find vulnerabilities to exploit.
    • Improved Anonymity: With QSEC, network traffic is routed through multiple peers, making it difficult for an attacker to track the data's origin and destination.
    • Resistance to IP Address Leaks: QSEC's use of public keys for routing decisions prevents IP address leaks, a common vulnerability that could be exploited in other VPN protocols.
    • Automatic Key Rotation: QSEC automatically rotates encryption keys, making it difficult for an attacker to decrypt data even if they manage to get hold of a key.

The next big cyberthreat isn't ransomware. It's killware. And it's just as bad as it sounds.

Even as most Americans are still learning about the hacking-for-cash crime of ransomware, the nation’s top homeland security official is worried about an even more dire digital danger: killware, or cyberattacks that can literally end lives.

OT Security

Cyber-Physical Systems are all around us today. Operational Technology (OT), a subset of the concept of Cyber-Physical Systems, has been used for decades in asset intensive industries like Oil & Gas and Manufacturing. It also plays a key role in Critical National Infrastructure like energy, water, transport and dams. The rise of consumer based Cyber-Physical Systems like smart thermostats and autonomous vehicles led to a ubiquitous Cyber-Physical Systems world.