Campaigns
Zero-Day Storm: Versa Director Introduces Volt Typhoon's Exploitative Campaign

Zero-Day Storm: Versa Director Introduces Volt Typhoon's Exploitative Campaign

ZeroDayStormVoltTyphoonVersaDirectorZeroDayVulnerability
In the midst of a digital tempest, the Versa Director has uncovered a new and formidable threat—Volt Typhoon. This zero-day storm is sweeping through cyber defenses, exploiting vulnerabilities with unprecedented force. As the storm rages, it leaves in its wake a trail of compromised systems and breached security measures. The stakes have never been higher, as this campaign threatens to disrupt and exploit on an unprecedented scale. Prepare for a deep dive into the heart of this exploitative campaign and the vulnerabilities it seeks to capitalize on.

Indicators of Compromise

temp.data

APT Groups1

Volt TyphoonChina

<p><b>Summary of Actor</b>:Volt Typhoon is a state-sponsored cyber espionage group believed to be affiliated with China. It is known for targeting critical infrastructure organizations in various countries, primarily focusing on obtaining intelligence. This group employs sophisticated techniques to remain undetected for long periods.</p><p><b>General Features</b>:State-sponsored, focused on cyber espionage, highly sophisticated, employs stealthy and persistent attack methods.</p><p><b>Related Other Groups</b>: APT41,APT10,RedEcho</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Unauthorized access to network devices</li><li>Use of living-off-the-land techniques</li><li>Unusual outbound network traffic</li><li>Presence of command-and-control communications</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: Volt Typhoon has recently been linked to attacks targeting the energy and telecommunications sectors in the United States. These attacks are aimed at exfiltrating sensitive information related to critical infrastructure and national security.</li><li><b>Emerging Trends </b>: Recent observations indicate a shift towards using more advanced living-off-the-land techniques and exploits for zero-day vulnerabilities. There is also an increased focus on long-term persistence and undetected presence within target environments.</li></ul></p>

Volt TyphoonDev-0391Bronze SilhouetteStorm-0391VOLTZITEInsidious TaurusRedflyUNC3236Vanguard Panda

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T 1199-Trusted Relationship


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network. Monitor logs for unexpected actions taken by any delegated administrator accounts.[17]

DS0028

Logon Session

Logon Session Creation

Monitor for newly constructed logon behavior that may breach or otherwise leverage organizations who have access to intended victims.



Logon Session Metadata

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure) from a trusted entity. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



T1059 - Command and Scripting Interpreter


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

DS0011

Module

Module Load

Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).

DS0009

Process

Process Creation

Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.



Process Metadata

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[52]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.



T1505 - Server Software Component



ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse legitimate extensible development features of servers to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [5]

DS0022

File

File Creation

Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.



File Modification

Monitor for changes made to files that may abuse legitimate extensible development features of servers to establish persistent access to systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). [5]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009

Process

Process Creation

Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files.



T1055 - Process Injection



ID

Data Source

Data Component

Detects

DS0022

File

File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.



File Modification

Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

DS0011

Module

Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

DS0009

Process

OS API Execution

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[86] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[87] [88] [89] [90]



Process Access

Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.



Process Metadata

Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[91]



Process Modification

Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.



T1056 - Input Capture


ID

Data Source

Data Component

Detects

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity

DS0022

File

File Modification

Monitor for changes made to files for unexpected modifications to access permissions and attributes

DS0009

Process

OS API Execution

Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [7]



Process Creation

Monitor for newly executed processes conducting malicious activity



Process Metadata

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications


Reports & References1

Observed Countries4

AU (152)
GB (853)
IN (869)
US (468)