CyberWire Daily - CISA Alert AA23-144A – People's Republic of China state-sponsored cyber actor living off the land to evade detection. [CISA Cybersecurity Alerts]
Episode Date: May 25, 2023Cybersecurity authorities are issuing this joint Cybersecurity Advisory to highlight a recent cluster of activity associated with a People’s Republic of China state-sponsored cyber actor, also known... as Volt Typhoon. AA23-144A Alert, Technical Details, and Mitigations Active Directory and domain controller hardening: Best Practices for Securing Active Directory | Microsoft Learn CISA regional cyber threats: China Cyber Threat Overview and Advisories Microsoft Threat Intelligence blog: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security Blog No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. Original release date, May 24, 2023.
Cybersecurity authorities are issuing this joint cybersecurity advisory to highlight a recent cluster of activity associated with a People's Republic of China state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors,
and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.
One of the actor's primary TTPs is Living Off the Land, which uses built-in network administration tools to perform their objectives.
This TTP allows the actor to evade detection by blending in with normal window system and network activities,
avoid endpoint detection and response products that would alert on the introduction of third-party applications to the host,
and limit the amount of activity that is captured in default logging configurations.
The advisory provides examples of the tools used by the actor and associated commands,
along with detection signatures to aid network defenders in hunting for this activity.
Many of the behavioral indicators can also be legitimate system administration commands that appear in benign activity.
Care should be taken not to assume that findings are malicious without further investigation or other indicators of compromise.
or other indicators of compromise.
The authors encourage organizations to implement the recommendations in the Mitigation section of this alert
to reduce the likelihood and impact of similar incidents.
The alert documentation linked in the show notes
includes additional technical details, IOCs, mitigations,
and response recommendations.
To report incidents in anomalous activity
or to request incident response resources or technical assistance,
contact CISA at report at cisa.gov, call 888-282-0870, or report incidents to your local
FBI field office. This report was written by CISA, the United States Cybersecurity and
Infrastructure Security Agency, and edited and adapted for audio by N2K Networks as a public
service. Please visit www.cisa.gov to read the full report, which may include additional details, This has been a CISA Cybersecurity Alert.