Microsoft Typhoon story: “Living off the Land”
The story starts: ‘The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering’
The Chinese attacked and stole state department employee email, in this
Politico story about the Chinese hack:
“Among the most sensitive information stolen, the staffer said, were victims’ travel itineraries and diplomatic deliberations. Fletcher also said that 10 Social Security numbers were viewed — or could have been viewed — via the hack.
Beyond State’s walls: The State Department officials said hackers broke into the 10 accounts using a token stolen from a Microsoft engineer and that, in total, 25 entities were impacted by the breach. Both of those figures are consistent with what Microsoft has reported publicly.”
The Hill story about Chinese state sponsored attacks:
{“Instead of infiltrating systems behind the corporate firewall, they are compromising devices on the edge of the network — sometimes firewalls themselves — and targeting software built by companies such as VMware Inc. or Citrix Systems Inc,” the Journal said.
The researchers told the news outlet that the new hacking techniques “represent a new level of ingenuity and sophistication from China.”}
What about this recent hack: Change healthcare Cyberattack written at AHA.org
“Today’s Health-ISAC bulletin cites information published by cyber intelligence firm RedSense, saying that Change Healthcare, along with other organizations, fell victim to exploitation of the recently announced ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709). As the incident is still under investigation, it is not possible to confirm the attack details.
Regardless of what happened at Change Healthcare, RedSense anticipates more organizations will be compromised as the ScreenConnect exploit is apparently fairly trivial to execute. If your organization has ConnectWise ScreenConnect in your environment, please review the following indicators and recommendations contained below in red(italicized in this post) from the Health-ISAC bulletin:
“Atomic IOCs, traffic to/from these could indicate compromise-
- 155.133.5[.]15
- 155.133.5[.]14
- 118.69.65[.]60
- 118.69.65[.]61
- 207.148.120[.]105
- 192.210.232[.]93
- 159.203.191[].1
Additional IOCs, these could indicate compromise as well
- presence of User.xml in the Windows ScreenConnect path (this file generally equates to an owned server, recommend to isolate endpoint, inspect this file and look for RCE)
- Examine this file on the server hosting connectwise/screen connect: C:\Program Files (x86)\ScreenConnect\App_Data\User.xml
Evaluate the “<name>” field along with the “<CreationDate>” field. If a user was recently created, review their <roles> field. If the role is ‘admin’ related, you probably have been compromised.
- The attack chain bypasses 2-factor authentication via brute force before executing local commands. The threat actors initially create an account called ‘cloudadmin’. The ‘cloudadmin’ account then creates a ‘test@2021’ user. The ‘test@2021’ user pings google.com. Next, the threat actors attempt to establish a connection over HTTPS to transfer[.]sh, a web-based file-sharing service, most likely using the command line.”
And finally the newest story (2/29/24)
Hacker News new story: Chinese Hackers Exploiting Ivanti VPN to install new Malware
This is the most interesting point in story:
“At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 and UNC3886, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances.
‘UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the U.S. and [Asia-Pacific] regions,’Mandiant researchers said ”
As usual the targets are defense industrial and technology companies. Anyone that has anything of value or not is a possible target… It is high time we spend more intelligent resources defending our infrastructures – such as I suggest in my book.
It is interesting to point out that “living off the land” is what is most likely happening – sort of like attacking the weak link, and then looking through the address book to see who this person knows. Have you heard of the 6 degrees of separation can connect you with anyone in the world? Thus maybe your machine may not have anything of value for the hackers, but you may know someone who knows someone that is important… And it is nice to have a compromised computer in USA that will have access to stuff that can connect to other USA computers. My wordfence software denies a direct connection from China to my site, but if the hacker attacked a computer in the USA then they can access my site anyway.
Thus it is high time we spent a little time to harden our computers even if we think there is nothing of value on it.
I suggest in my book again:
From a previous post last year…