campaign image
Volt Typhoon (aka, The Bronze Silhouette) Targets Critical US Infrastructure with Living Of The Land Techniques
Bronze Silhouette Living Of The Land LOL Bins Fortinet Forti Guard SOHO LotL Volt Typhoon

BRONZE SILHOUETTE has been active since at least 2021 and primarily targets the US government and defense organizations for intelligence gathering purposes. The group leverages vulnerable internet-facing servers to gain initial access and often uses a web shell for persistence.

Domains Source Last Update
Hashes Source Last Update
433331fe1a3ff11ea362fc772b67da38 SOCRadar 2023-06-13
472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d SOCRadar 2023-06-13
93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066 SOCRadar 2023-06-13
3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642 SOCRadar 2023-06-13
e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95 SOCRadar 2023-06-13
3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f SOCRadar 2023-06-13
6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff SOCRadar 2023-06-13
d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295 SOCRadar 2023-06-13
d10298d14d249941725ca0d4fe3fdd03cc472d42 SOCRadar 2023-06-13
3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71 SOCRadar 2023-06-13
daf5b2ffebc86b85e54201100be10fa19f19bf04 SOCRadar 2023-06-13
baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c SOCRadar 2023-06-13
41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597 SOCRadar 2023-06-13
8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2 SOCRadar 2023-06-13
b420bbe5054b2b8d0ab7de7a2f266cc382dac45d0d6cf06cfcf056073cb14c03 SOCRadar 2023-06-13
98c9fa7cab7499b6656a3329d4662c74f0b5466e SOCRadar 2023-06-13
308cd259bb9b0ed17c876881852e7992 SOCRadar 2023-06-13
7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5 SOCRadar 2023-06-13
d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca SOCRadar 2023-06-13
187d0dc65dd52fb813c9ebb6613be6b6 SOCRadar 2023-06-13
b9f9d0b9ab78c1e9e032751713cf5441 SOCRadar 2023-06-13
450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267 SOCRadar 2023-06-13
4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349 SOCRadar 2023-06-13
a82eb33ac623ffed550fc7120371b0ce8cfaa127 SOCRadar 2023-06-13
95fa19a91dc6d5b4ca17a886695aca99c9f81915 SOCRadar 2023-06-13
5c8a4c8fd3cc94f957a2ed070a606431 SOCRadar 2023-06-13
80d52999032325876d68cda01eb634db SOCRadar 2023-06-13
94dd39bc894ee60fc3c7ae21f53da2e29ed2d7b60515fd17b49ff57b0679a591 SOCRadar 2023-06-13
c25c4e6178f9434f6ee74790b31a7c09bd812271 SOCRadar 2023-06-13
6c8cdc2376288948ac008c0dfc6b159015583ec8a5847cd68b3806c734f5ceb8 SOCRadar 2023-06-13
21e13f2cb269defeae5e1d09887d47bb SOCRadar 2023-06-13
d35cb972271a75cdc3a9900ed7f40a37 SOCRadar 2023-06-13
6acaa1ef5398c6a3d9bfaccd89865115eb47e60c SOCRadar 2023-06-13
43e7d073944d5bec270d78c838e4390f38d129ec SOCRadar 2023-06-13
2de7ec0ff76943687875882d9add53a12bee17a0 SOCRadar 2023-06-13
7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2 SOCRadar 2023-06-13
e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6 SOCRadar 2023-06-13
a780dc37f6a517aa3f0f2d7cdd41b3acfe765d70 SOCRadar 2023-06-13
c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d SOCRadar 2023-06-13
f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd SOCRadar 2023-06-13
ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484 SOCRadar 2023-06-13
23873bf2670cf64c2440058130548d4e4da412dd SOCRadar 2023-06-13
989c12b22ae56d5bc6249047119a9ed1 SOCRadar 2023-06-13
e6456b4c14be0921616b28c219386e1a SOCRadar 2023-06-13
66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7 SOCRadar 2023-06-13
c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b SOCRadar 2023-06-13
3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc SOCRadar 2023-06-13
33c02d70abb2f1f12a79cfd780d875a94e7fe877 SOCRadar 2023-06-13
17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4 SOCRadar 2023-06-13
34a7a500bd62b21d98e81b19aeef2ca456a78253 SOCRadar 2023-06-13
1e2a99ae43d6365148d412b5dfee0e1c SOCRadar 2023-06-13
2b6989231cdae585e66994268b15d609 SOCRadar 2023-06-13
d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af SOCRadar 2023-06-13
d76e1525c8998795867a17ed33573552 SOCRadar 2023-06-13
c6d185d2c1dbfcb3a5073e0dcbc580e8 SOCRadar 2023-06-13
0c8c005fa2f542269074d1afad3f1fff3767936188fe5ce87a33d091ea044d8d SOCRadar 2023-06-13
9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a SOCRadar 2023-06-13
cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984 SOCRadar 2023-06-13
16d7ecf09fc98798a6170e4cef2745e0bee3f5c7 SOCRadar 2023-06-13
543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91 SOCRadar 2023-06-13
0195a022d023e2a82882e74bb7e48d418538ca9b SOCRadar 2023-06-13
a0254a824d9adcd2f173923acfe4da7f SOCRadar 2023-06-13
60c003206dcadb048b15b2b21d8a1348f58bc38e737c2805dfd017f9fea7f672 SOCRadar 2023-06-13
c1ad2b87815643497994206d05c8137accbab4c97773591afc8676cf5740379d SOCRadar 2023-06-13
640527a052a0fa57c58dd1a4a4628ec2 SOCRadar 2023-06-13
234d24856c162ef75a67902d623bd6bd89338e64 SOCRadar 2023-06-13
389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61 SOCRadar 2023-06-13
6983f7001de10f4d19fc2d794c3eb534 SOCRadar 2023-06-13
ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31 SOCRadar 2023-06-13
c7641aba03a32099c9eaf0c104f19c32a5408ae4 SOCRadar 2023-06-13
fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15 SOCRadar 2023-06-13
b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74 SOCRadar 2023-06-13
88211a9b3880def192f768bf7ee28e6a880d0837 SOCRadar 2023-06-13
c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99 SOCRadar 2023-06-13
Ipv4s Source Last Update
Cves Source Last Update
CVE-2021-40539 SOCRadar 2023-06-13
CVE-2021-27860 SOCRadar 2023-06-13
CVE-2023-27350 SOCRadar 2023-06-13
Emails Source Last Update
[email protected] SOCRadar 2023-06-13
[email protected] SOCRadar 2023-06-13
Domains Insert Date
Mitigations
The authoritative agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and
NIST recommends all organizations implement. CISA and NIST based the CPGs on existing cybersecurity Frameworks and guidance to protect against the most common and impactful threats and TTPs.

Defenders should harden domain controllers and monitor event logs for and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
Defenders should investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
Remediations
Defenders should set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events” in addition to accessing the logs.

Otherwise, the default logging configurations may not contain the necessary Information. Enabling these options will create Event ID 4688 entries in the Windows Security log to view command line processes. Given the cost and difficulty of logging and analyzing this kind of activity, if an organization must limit the requirements, they should focus on enabling this kind of logging on systems that are externally facing or perform authentication or authorization, especially including domain controllers.

To hunt for the malicious WMI and PowerShell activity, defenders should also log WMI and PowerShell events. By default, WMI Tracing and deep PowerShell logging are not Enabled,

Conclusion:

Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. 

Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

It is particularly difficult to reduce the risk from enemies like the Volt Typhoon, which rely on valid accounts and terrain binaries (LOLBins). Detection of activities using normal login channels and system binaries requires behavioral monitoring. The fix requires closing or changing credentials for compromised accounts. Accounts suspected of being compromised or affecting systems should be investigated

File Name Description Actions
CSA_PRC_.pdf BRONZE SILHOUETTE has been active since at least 2021 and primarily targets U.S government and defense organizations for intelligence-gathering purposes
APT Name Aliases Target Countries Source Countries Total IOCs
Volt Typhoon
VanguardPanda
None
timeline History Timeline
  • Wed, 14 Jun 2023 08:26:14 GMT
    New Report Added

    Living off the Land report added.
  • Tue, 13 Jun 2023 17:33:16 GMT
    New Apt Groups Added

    New APT Groups added.
  • Tue, 13 Jun 2023 17:32:58 GMT
    New IOC's Added

    Total 79 IOC's added.
  • Tue, 13 Jun 2023 15:50:25 GMT
    Created!

    New Campaign created.
  • Mon, 12 Jun 2023 00:00:00 GMT
    FortiOS & FortiProxy - Heap buffer overflow in sslvpn pre-authentication
    A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.Go to Link
  • Thu, 01 Jun 2023 00:00:00 GMT
    June 2021 IR engagement
    During a June 2021 engagement, Secureworks incident responders discovered that BRONZE SILHOUETTE had gained initial access to the compromised organization's single-factor Citrix environment via a domain administrator account.Go to Link
  • Thu, 25 May 2023 00:00:00 GMT
    May 25, 2023 By Pierluigi Paganini A China-linked APT group, tracked as Volt Typhoon, breached critical infrastructure organizations in the U.S. and Guam without being detected. China-linked APT cyber espionage group Volt Typhoon infiltrated critical infrastructure organizations in the U.S. and Guam without being detected. The group managed to maintain access without being detected for as long as possible. According to Microsoft, the campaign aims at building capabilities that could disrupt critical communications infrastructure between the United States and Asia region in the case of future crises. The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection. In order to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and stay under the radar. Volt Typhoon attack chain Volt Typhoon targets internet-facing Fortinet FortiGuard devices to achieve initial access to targeted organizations. Then the attackers attempt to extract credentials to an Active Directory account used by the compromised device and use them for lateral movement by authenticating to other devices. Upon gaining access to a target environment, the group conducts hands-on-keyboard activity via the command line. The researchers pointed out that the group rarely uses malware in the post-compromise phase. “If the account that Volt Typhoon compromises from the Fortinet device has privileged access, they use that account to perform the following credential access activities.” continues the report. “Microsoft has observed Volt Typhoon attempting to dump credentials through the Local Security Authority Subsystem Service (LSASS). The LSASS process memory space contains hashes for the current user’s operating system (OS) credentials.” Microsoft observed the Volt Typhoon dumping information from local web browser applications, then the attackers staged collected data in password-protected archives. The experts concluded by warning organizations to be vigilant on successful sign-ins from unusual IP addresses that could represent C2 accesses. Today, CISA joined the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners in releasing a joint cybersecurity advisory highlighting recently discovered activities conducted by a People’s Republic of China (PRC) state-sponsored cyber threat actor. We are in the final! Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini Please nominate Security Affairs as your favorite blog. Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Volt Typhoon) Share this: EmailTwitterPrintLinkedInFacebookMore ChinaCyberespionageHackinginformation security newsIT Information SecurityPierluigi PaganiniSecurity AffairsSecurity NewsVolt Typhoon SHARE ON Pierluigi Paganini Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”. PREVIOUS ARTICLE North Korea-linked Lazarus APT targets Microsoft IIS servers to deploy malware NEXT ARTICLE Zyxel firewall and VPN devices affected by critical flaws YOU MIGHT ALSO LIKE NodeStealer 2.0 takes over Facebook Business accounts and targets crypto wallets August 1, 2023 By Pierluigi Paganini US govt is hunting a Chinese malware that can interfere with its military operations August 1, 2023 By Pierluigi Paganini Digging the Deep Web: Exploring the dark side of the web Digging The Deep Web Center for Cyber Security and International Relations Studies Subscribe Security Affairs Newsletter newsletter SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards EU Sec Bloggers Awards 22
    A China-linked APT group, tracked as Volt Typhoon, breached critical infrastructure organizations in the U.S. and Guam without being detected.Go to Link
  • Wed, 24 May 2023 00:00:00 GMT
    Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
    The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.Go to Link
  • Wed, 24 May 2023 00:00:00 GMT
    Chinese Observe US Critical Infrastructure Organizations
    A state-backed Chinese hacking group is spying on a wide variety of US critical infrastructure organizations, from telecommunications to transportation hubs.
Subscribe