Volt Typhoon ‘hits’ America
According to Microsoft, Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organisations in Guam and elsewhere in the United States. “In this campaign, the affected organisations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors,” said Microsoft in the blog. What’s worrying is that, as per Microsoft, the threat actor can do espionage and get access without being detected for a while.
One of the ways Volt Typhoon gains access is through Fortinet FortiGuard devices. “The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials,” explained Microsoft in the blog.
The company said that it is investigating how hackers are gaining access to Fortinet devices. Microsoft has also confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet. “By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure,” said Microsoft.
Microsoft has also shared tips in case any device has been compromised. Organisations should close or change credentials for all compromised accounts as depending on the level of collection activity, many accounts may be affected. Further, organisations should identify LSASS dumping and domain controller installation media creation to identify affected accounts.