Volt Typhoon (aka, The Bronze Silhouette) Targets Critical US Infrastructure with Living Of The Land Techniques
Bronze Silhouette
Living Of The Land
LOL Bins
Fortinet Forti Guard
SOHO
LotL
Volt Typhoon
BRONZE SILHOUETTE has been active since at least 2021 and primarily targets the US government and defense organizations for intelligence gathering purposes. The group leverages vulnerable internet-facing servers to gain initial access and often uses a web shell for persistence.
Domains | Source | Last Update |
---|
Hashes | Source | Last Update |
---|---|---|
433331fe1a3ff11ea362fc772b67da38 | SOCRadar | 2023-06-13 |
472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d | SOCRadar | 2023-06-13 |
93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066 | SOCRadar | 2023-06-13 |
3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642 | SOCRadar | 2023-06-13 |
e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95 | SOCRadar | 2023-06-13 |
3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f | SOCRadar | 2023-06-13 |
6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff | SOCRadar | 2023-06-13 |
d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295 | SOCRadar | 2023-06-13 |
d10298d14d249941725ca0d4fe3fdd03cc472d42 | SOCRadar | 2023-06-13 |
3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71 | SOCRadar | 2023-06-13 |
daf5b2ffebc86b85e54201100be10fa19f19bf04 | SOCRadar | 2023-06-13 |
baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c | SOCRadar | 2023-06-13 |
41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597 | SOCRadar | 2023-06-13 |
8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2 | SOCRadar | 2023-06-13 |
b420bbe5054b2b8d0ab7de7a2f266cc382dac45d0d6cf06cfcf056073cb14c03 | SOCRadar | 2023-06-13 |
98c9fa7cab7499b6656a3329d4662c74f0b5466e | SOCRadar | 2023-06-13 |
308cd259bb9b0ed17c876881852e7992 | SOCRadar | 2023-06-13 |
7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5 | SOCRadar | 2023-06-13 |
d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca | SOCRadar | 2023-06-13 |
187d0dc65dd52fb813c9ebb6613be6b6 | SOCRadar | 2023-06-13 |
b9f9d0b9ab78c1e9e032751713cf5441 | SOCRadar | 2023-06-13 |
450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267 | SOCRadar | 2023-06-13 |
4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349 | SOCRadar | 2023-06-13 |
a82eb33ac623ffed550fc7120371b0ce8cfaa127 | SOCRadar | 2023-06-13 |
95fa19a91dc6d5b4ca17a886695aca99c9f81915 | SOCRadar | 2023-06-13 |
5c8a4c8fd3cc94f957a2ed070a606431 | SOCRadar | 2023-06-13 |
80d52999032325876d68cda01eb634db | SOCRadar | 2023-06-13 |
94dd39bc894ee60fc3c7ae21f53da2e29ed2d7b60515fd17b49ff57b0679a591 | SOCRadar | 2023-06-13 |
c25c4e6178f9434f6ee74790b31a7c09bd812271 | SOCRadar | 2023-06-13 |
6c8cdc2376288948ac008c0dfc6b159015583ec8a5847cd68b3806c734f5ceb8 | SOCRadar | 2023-06-13 |
21e13f2cb269defeae5e1d09887d47bb | SOCRadar | 2023-06-13 |
d35cb972271a75cdc3a9900ed7f40a37 | SOCRadar | 2023-06-13 |
6acaa1ef5398c6a3d9bfaccd89865115eb47e60c | SOCRadar | 2023-06-13 |
43e7d073944d5bec270d78c838e4390f38d129ec | SOCRadar | 2023-06-13 |
2de7ec0ff76943687875882d9add53a12bee17a0 | SOCRadar | 2023-06-13 |
7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2 | SOCRadar | 2023-06-13 |
e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6 | SOCRadar | 2023-06-13 |
a780dc37f6a517aa3f0f2d7cdd41b3acfe765d70 | SOCRadar | 2023-06-13 |
c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d | SOCRadar | 2023-06-13 |
f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd | SOCRadar | 2023-06-13 |
ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484 | SOCRadar | 2023-06-13 |
23873bf2670cf64c2440058130548d4e4da412dd | SOCRadar | 2023-06-13 |
989c12b22ae56d5bc6249047119a9ed1 | SOCRadar | 2023-06-13 |
e6456b4c14be0921616b28c219386e1a | SOCRadar | 2023-06-13 |
66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7 | SOCRadar | 2023-06-13 |
c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b | SOCRadar | 2023-06-13 |
3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc | SOCRadar | 2023-06-13 |
33c02d70abb2f1f12a79cfd780d875a94e7fe877 | SOCRadar | 2023-06-13 |
17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4 | SOCRadar | 2023-06-13 |
34a7a500bd62b21d98e81b19aeef2ca456a78253 | SOCRadar | 2023-06-13 |
1e2a99ae43d6365148d412b5dfee0e1c | SOCRadar | 2023-06-13 |
2b6989231cdae585e66994268b15d609 | SOCRadar | 2023-06-13 |
d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af | SOCRadar | 2023-06-13 |
d76e1525c8998795867a17ed33573552 | SOCRadar | 2023-06-13 |
c6d185d2c1dbfcb3a5073e0dcbc580e8 | SOCRadar | 2023-06-13 |
0c8c005fa2f542269074d1afad3f1fff3767936188fe5ce87a33d091ea044d8d | SOCRadar | 2023-06-13 |
9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a | SOCRadar | 2023-06-13 |
cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984 | SOCRadar | 2023-06-13 |
16d7ecf09fc98798a6170e4cef2745e0bee3f5c7 | SOCRadar | 2023-06-13 |
543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91 | SOCRadar | 2023-06-13 |
0195a022d023e2a82882e74bb7e48d418538ca9b | SOCRadar | 2023-06-13 |
a0254a824d9adcd2f173923acfe4da7f | SOCRadar | 2023-06-13 |
60c003206dcadb048b15b2b21d8a1348f58bc38e737c2805dfd017f9fea7f672 | SOCRadar | 2023-06-13 |
c1ad2b87815643497994206d05c8137accbab4c97773591afc8676cf5740379d | SOCRadar | 2023-06-13 |
640527a052a0fa57c58dd1a4a4628ec2 | SOCRadar | 2023-06-13 |
234d24856c162ef75a67902d623bd6bd89338e64 | SOCRadar | 2023-06-13 |
389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61 | SOCRadar | 2023-06-13 |
6983f7001de10f4d19fc2d794c3eb534 | SOCRadar | 2023-06-13 |
ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31 | SOCRadar | 2023-06-13 |
c7641aba03a32099c9eaf0c104f19c32a5408ae4 | SOCRadar | 2023-06-13 |
fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15 | SOCRadar | 2023-06-13 |
b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74 | SOCRadar | 2023-06-13 |
88211a9b3880def192f768bf7ee28e6a880d0837 | SOCRadar | 2023-06-13 |
c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99 | SOCRadar | 2023-06-13 |
Ipv4s | Source | Last Update |
---|
Cves | Source | Last Update |
---|---|---|
CVE-2021-40539 | SOCRadar | 2023-06-13 |
CVE-2021-27860 | SOCRadar | 2023-06-13 |
CVE-2023-27350 | SOCRadar | 2023-06-13 |
Emails | Source | Last Update |
---|---|---|
[email protected] | SOCRadar | 2023-06-13 |
[email protected] | SOCRadar | 2023-06-13 |
Domains | Insert Date |
---|
Mitigations
The authoritative agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and
NIST recommends all organizations implement. CISA and NIST based the CPGs on existing cybersecurity Frameworks and guidance to protect against the most common and impactful threats and TTPs.
Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
Defenders should investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
Remediations
Defenders should set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events” in addition to accessing the logs.
Otherwise, the default logging configurations may not contain the necessary Information. Enabling these options will create Event ID 4688 entries in the Windows Security log to view command line processes. Given the cost and difficulty of logging and analyzing this kind of activity, if an organization must limit the requirements, they should focus on enabling this kind of logging on systems that are externally facing or perform authentication or authorization, especially including domain controllers.
To hunt for the malicious WMI and PowerShell activity, defenders should also log WMI and PowerShell events. By default, WMI Tracing and deep PowerShell logging are not Enabled,
Conclusion:
Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering.
Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
It is particularly difficult to reduce the risk from enemies like the Volt Typhoon, which rely on valid accounts and terrain binaries (LOLBins). Detection of activities using normal login channels and system binaries requires behavioral monitoring. The fix requires closing or changing credentials for compromised accounts. Accounts suspected of being compromised or affecting systems should be investigated
File Name | Description | Actions |
---|---|---|
CSA_PRC_.pdf | BRONZE SILHOUETTE has been active since at least 2021 and primarily targets U.S government and defense organizations for intelligence-gathering purposes |
APT Name | Aliases | Target Countries | Source Countries | Total IOCs |
---|---|---|---|---|
Volt Typhoon |
BRONZE SILHOUETTE
|
|
None |
203
|