A new advisory from the United States and international cybersecurity authorities highlights a hacking group out of China seeking to disrupt communication through an attack method called living off the land (LOTL). LOTL attacks are also known as file-less malware attacks, meaning the attacker does not need to install any script or code on the victim’s computer to carry out the attack. Instead, hackers use native security and network tools to carry out the attack. Powershell, Windows Management Interface (WMI), and PsExec are administration tools commonly used to manipulate data and communication on a network.
The CISA advisory highlights the command line tool in Windows being utilized to disrupt communication, specifically between the US and Asia, from a hacker group known as Volt Typhoon. This group has taken the attack a step further by using small office and home office (SOHO) networks to attack more significant targets. This intermediate step helps hide their path and makes the network traffic appear to come from an IP address local to the large business. Currently, it appears the attackers are collecting, archiving, and maintaining compromised credentials of US critical infrastructure to be used at a later date. Attackers are also using administrative tools to create new user credentials on compromised systems. The attack is being viewed as part of a larger geopolitical strategy by China as a response to continued tension over Taiwan.
The advisory published by CISA is twofold. It’s a warning for small and medium-sized businesses to maintain a level of cybersecurity so their networks cannot easily be used to attack critical infrastructure locally. Additionally, the advisory lists very specific network artifacts and mitigations large corporations and critical infrastructure businesses can follow, including limiting and monitoring event logs, port proxy usage, and unusual IP addresses. Refer to CISA alert AA23-144a for more information.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.
