The cybersecurity firm CrowdStrike has recently uncovered the activities of a newly identified Chinese nation-state actor known as Volt Typhoon. This group, also referred to as Bronze Silhouette, has been conducting cyber espionage operations targeting various critical infrastructure organizations, including the U.S. government and defense sectors.
CrowdStrike’s analysis reveals that Volt Typhoon utilizes unique tactics, such as ManageEngine Self-Service Plus exploits and living-off-the-land techniques, to maintain persistent access to their targets.
Advanced Tradecraft and Operational Security
Volt Typhoon demonstrates a high level of operational security and employs a range of open-source tools selectively against a limited number of victims. By doing so, they ensure long-term access to their targets while minimizing the risk of detection. The group extensively relies on web shells for persistence and utilizes living-off-the-land binaries to achieve their objectives efficiently.
Targeting ManageEngine Self Service Plus
In one incident, Volt Typhoon targeted an undisclosed customer by exploiting the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server. This attack aimed to execute suspicious commands related to process enumeration and network connectivity. The group’s familiarity with the target environment was evident from the rapid succession of commands and their use of specific internal hostnames, IPs, and plaintext credentials.
Covert Web Shells and Reconnaissance
An investigation into the group’s activities uncovered HTTP POST requests to a web shell disguised as a legitimate identity security solution, specifically the /html/promotion/selfsdp.jspx page. This web shell had been deployed approximately six months before the attack, indicating extensive reconnaissance efforts by Volt Typhoon. The discovery of additional web shells and backdoors revealed the group’s attempt to obscure their actions by deleting artifacts and tampering with access logs.
Exploitation of CVE 2021 40539
While the exact method used to breach the ManageEngine environment remains unclear, indications point towards the exploitation of CVE-2021-40539. This critical authentication bypass flaw allowed for remote code execution, providing Volt Typhoon with the means to compromise the system. However, their attempt to cover their tracks by deleting logs overlooked the presence of Java source and compiled class files, which ultimately led to the discovery of more web shells and backdoors.
Backdoored Apache Tomcat Library
CrowdStrike’s investigation revealed a previously undisclosed persistence technique employed by Volt Typhoon. The group utilized a trojanized version of the tomcat-websocket.jar file, injecting three new Java classes (A, B, and C). Class A acted as an additional web shell capable of executing encrypted commands. This backdoored Apache Tomcat library enabled persistent access to high-value targets, indicating the group’s advanced understanding of their victims’ environments.
Conclusion
Volt Typhoon, also known as Bronze Silhouette, represents a sophisticated Chinese cyber espionage group that targets critical infrastructure organizations, including the U.S. government and defense sectors. Their use of ManageEngine Self-Service Plus exploits, covert web shells, and living-off-the-land techniques demonstrates a deep understanding of cybersecurity tradecraft. CrowdStrike’s discovery of the backdoored Apache Tomcat library highlights the group’s persistence and the need for advanced security measures to counter their activities. Organizations must remain vigilant and employ robust cybersecurity solutions to defend against the evolving threat landscape presented by state-sponsored actors like Volt Typhoon.
As the cybersecurity landscape continues to evolve, it is essential to stay informed about emerging threats and developments. I would highly suggest you to visit our CyberSecurity section to enhance your defenses and stay ahead of evolving cyber threats.
If you found these cybersecurity updates valuable, don’t miss out on more exclusive content. Follow us on Twitter and Instagram to stay informed about emerging threats and developments. Join our community and gain access to the latest cybersecurity trends to bolster your defense against evolving risks.