Threat ActorVolt Typhoon
Description
Volt Typhoon, also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus, is a People's Republic of China based threat actor. Volt Typhoon has a keen interest in critical infrastructure and other sectors in the United States, Australia, India and the United Kingdom to ultimately perform information theft and espionage.
Aliases
- Voltzite
- Vanguard Panda
- BRONZE SILHOUETTE
- Dev-0391
- UNC3236
- Insidious Taurus
Common Vulnerabilities and Exposures
Targeted Industries
- Critical Infrastructure
- Defense
- Energy
- Information Technology Services
- Manufacturing
- Telecommunications
- Transportation and Logistics
- Utilities
Objectives
Data Theft and Corporate Espionage
Known Tools Used
- certutil
- cmd
- Coathanger
- dnscmd
- EarthWorm
- Fast Reverse Proxy (FRP)
- KV Botnet
- Ldifde
- LSASS
- Magnet RAM Capture (MRC)
- Makecab
- Mimikatz
- net user/group/use
- netsh
- netstat
- nltest
- ntdsutil
- ping
- PowerShell
- PSExec
- PuTTY
- quser
- reg query/reg save
- Remote Desktop Protocol (RDP)
- SMB
- SockDetour
- systeminfo
- tasklist
- Ultimate Packer for Executables (UPX)
- VersaMem
- wevtutil
- whoami
- WMIC
- xcopy
- Z Shell (zsh)
Known Infection Vectors
- CVE-2019-1652 (Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability)
- CVE-2019-1653 (Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability)
- CVE-2020-5902 (F5 Traffic Management User Interface Remote Code Execution Vulnerability)
- CVE-2021-22005 (VMware vCenter Server Arbitrary File Upload Vulnerability)
- CVE-2021-26084 (Confluence Server Webwork OGNL Injection Vulnerability)
- CVE-2021-26857 (Microsoft Exchange Server Remote Code Execution Vulnerability)
- CVE-2021-26858 (Microsoft Exchange Server Remote Code Execution Vulnerability)
- CVE-2021-27065 (Microsoft Exchange Server Remote Code Execution Vulnerability)
- CVE-2021-27860 (Fatpipe Web Management Interface File Upload Vulnerability)
- CVE-2021-36260 (Hikvision IP Cameras Command Injection Vulnerability)
- CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability)
- CVE-2021-42237 (Sitecore XP Insecure Deserialization Remote Code Execution Vulnerability)
- CVE-2022-1388 (F5 BIG-IP Remote Command Execution Vulnerability)
- CVE-2022-42475 (FortiOS Heap-based Buffer Overflow in sslvpnd)
- CVE-2023-27350 (PaperCut NG and MF Remote Code Execution Vulnerability)
- CVE-2023-36553 (FortiSIEM OS command injection in Report Server)
- CVE-2023-46805 (Ivanti Connect Secure Authentication Bypass Vulnerabiliti)
- CVE-2023-4966 (Citrix NetScaler ADC and NetScaler Gateway Vulnerability - aka Citrix Bleed)
- CVE-2023-6548 (Citrix NetScaler ADC and NetScaler Gateway Vulnerability)
- CVE-2023-6549 (Citrix NetScaler ADC and NetScaler Gateway Vulnerability)
- CVE-2024-20272 (Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability)
- CVE-2024-21762 (Out-of-bound Write in sslvpnd in FortiOS and FortiProxy)
- CVE-2024-21887 (Ivanti Connect Secure Command Injection Vulnerability)
- CVE-2024-39717 (Versa Director Dangerous File Type Upload Vulnerability)
References
Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign (Fortinet)
https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (CISA)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
CISA and Partners Release Joint Fact Sheet for Leaders on PRC-sponsored Volt Typhoon Cyber Activity (CISA)
https://www.cisa.gov/news-events/alerts/2024/03/19/cisa-and-partners-release-joint-fact-sheet-leaders-prc-sponsored-volt-typhoon-cyber-activity
Volt Typhoon (MITRE)
https://attack.mitre.org/groups/G1017/
Strengthening America’s Resilience Against the PRC Cyber Threats (CISA)
https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats
