[CDP-development] U.S. and International Partners Release Advisory on PRC State-Sponsored Malicious Cyber Activity

Masse, Theresa theresa.masse at cisa.dhs.gov
Wed May 24 13:43:45 PDT 2023 

FYSA



Today, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) published a joint Cybersecurity Advisory<https://cisa.gov/news-events/cybersecurity-advisories/aa23-144a> (CSA), “People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection,” to highlight a People’s Republic of China (PRC) state-sponsored actor, also known as Volt Typhoon<https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/>, that is working to compromise networks and conduct malicious activity.



This report provides the cybersecurity community and critical infrastructure organizations with new insights into the specific tactics, techniques, and procedures used by PRC cyber actors to gain and maintain persistent access into critical infrastructure networks. It highlights how PRC cyber actors use techniques called living off the land, which enables these actors to avoid detection by using legitimate network administration tools. This tactic enables the actor to blend in with normal system and network activities, avoid identification by many endpoint detection and response (EDR) products, and limit the amount of activity that is capture in common logging configurations. Some of the tools used by these cyber actors to maintain anonymity within IT infrastructures are PowerShell, Windows Management Instrumentation (WMI), and Mimikatz.



The CSA provides technical information that can be used by network defenders to hunt for this activity on their network, including a summary of relevant indicators of compromise (IOC) for quick reference. Recommended mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) and can help organizations prioritize their investments to most effectively mitigate this activity, such as:

     *   Baseline protections include harden domain controllers, monitor event logs, limit port proxy usage within environments, and investigate unusual internet protocol (IP) addresses and ports.
     *   Logging recommendations include setting audit policy, hunt for windows management instrumentation (WMI) and PowerShell activity and enable logging on their edge devices.
     *   Prioritize mitigation of known exploited vulnerabilities (KEV), including those listed in the joint advisory and also in our KEV catalog<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>.



CISA and our partners will continue to provide targeted guidance and capabilities to help organizations address the risk of persistent access by adversaries using living off the land techniques, including through our Remote Monitoring and Management planning effort currently being undertaken by the Joint Cyber Defense Collaborative (JCDC).



All organizations are strongly urged to review this advisory and take necessary actions to detect if this activity is on their network, apply mitigations to improve cybersecurity posture, and strengthen resilience to reduce impact of adversarial activity. With our partners, we will continue to help organizations address the risk of persistent access by adversaries using living off the land techniques.



Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D98E45.ABA9F470]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230524/d3237d71/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230524/d3237d71/attachment-0001.png>

More information about the CDP-development mailing list