Volt Typhoon in the Wild
Table of Contents
About Volt Typhoon
Volt Typhoon is a state-sponsored cyber actor associated with the People’s Republic of China. Traditionally their activities have been limited to initial intrusion, information gathering, and data exfiltration. ThreatLocker has observed increased activity we believe is related to this threat actor.
We have observed them attempting to gather telemetry about the compromised network to include detailed information about which processes are currently running and which DLL’s are loaded by those processes. For additional information related to what other organizations have observed, see this CISA Cybersecurity Advisory.
Indicators of Comprise (IoC) Timeline
1.Tasklist.exe is executed.
This is used to gather information about all processes running on the compromised machine. In addition, it is used to list all the DLL’s loaded by each process. This information can be used to construct a future DLL Hijacking attack. Microsoft Documentation for this executable can be found here.
2.Mpcmdrun.exe is executed.
This is a dedicated command line tool used to manage Windows Defender. It can be used to check if you are vulnerable to CVE-2023-24934, an exploit which allows hackers to bypass Windows Defender. You can see a demonstration of this exploit on our Windows Defender Bypass blog.
3.Wmic.exe attempts to execute
Wmic.exe attempts to execute but is blocked by ThreatLocker. This is the WMI command-line utility. It has been deprecated as of Windows 10, version 21H1. Any attempted execution of this command should be viewed as suspicious.
4. Next steps
If Wmic.exe is not blocked by a default-deny policy like ThreatLocker provides, the attack will continue with data exfiltration including network scans and processes. This provides the attacker the recon needed to identify further opportunities for exploitation.
Recommendations for Everyone
- If you suspect a compromise, immediately reset credentials for any accounts with access to your Domain Controller.
- Turn on Windows command line process auditing. This will allow you to search the windows event log for indicators of compromise.
- Follow any other remediation steps you can in the “Mitigations” section of this cybersecurity advisory.
Recommendations for ThreatLocker Customers
- Make sure PowerShell is Ringfenced ™ from the internet.
- Make sure ThreatLocker Network Control is turned on and has a Default Deny Policy.
- Search your Unified audit for wmic.exe being denied. If you find this, contact ThreatLocker support for further investigation through network logs.