On May 24, 2023, Microsoft and Cybersecurity and Infrastructure Security Agency (CISA) warned in a coordinated effort that the Chinese state-sponsored advanced persistent threat (APT) known as Volt Typhoon was targeting United States critical infrastructure. 

CISA issued a Cybersecurity Advisory (CSA) from U.S., Canadian, United Kingdom, Australian, and New Zealand intelligence agencies that advised one of Volt Typhoon's primary tactics, techniques, and procedures (TTPs) is living off the land (LOTL), which hinders detection. In a separate post, Microsoft announced it had uncovered "malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the U.S." carried out by Volt Typhoon. Microsoft noted that Volt Typhoon has been active since 2021, primarily targeting critical infrastructure in the U.S. and Guam.

Once Volt Typhoon gains access to a network, the threat actor uses LOTL techniques to harvest credentials and maintain persistent access. As a result, endpoint detection and response (EDR) tools are less effective in mitigating this attack because the threat actor is not installing malicious software or code, but instead maintaining access using valid applications found on installations of Microsoft Windows.

What Coalition policyholders need to know

While all organizations may use technologies that leave them vulnerable to attacks using LOTL, the most significant initial ingress risk for Coalition policyholders is internet-exposed admin panels. Admin panels enable access to an application or service and allow IT or system administrators to manage its configurations. Given the power and functionality of admin panels, they should never be exposed to the public internet. Unfortunately, vendor default settings may leave admin panels open, or IT and security teams may overlook checking, which opens organizations up to risk. In the last 30 days, Coalition has sent 3,286 alerts to policyholders with exposed admin panels, and it remains one of our top security findings.

Per Microsoft and CISA reporting, by using LOTL TTPs after the threat actor has gained access to a network, they become challenging to detect and evict. While Volt Typhoon is currently targeting critical infrastructure organizations, their ability to compromise networks will likely serve as proof to other threat actors that LOTL is a successful strategy. Coalition Incident Response (CIR), Coalition’s incident response affiliate, has already reported seeing an uptick in cases attributed to LOTL in the last several months, and we expect this number to increase.

How to mitigate living off the land 

Based on the above analysis, we assess that one effective mitigation technique for small and medium-sized businesses (SMB) is to ensure no admin panels are exposed to the public internet to provide initial ingress. Additional best practices include evaluating all tools and services within your organization exposed to the internet and, where possible, removing access for those tools and services. While SMBs may lack the resources to review logs rigorously, implementing logging is always a good idea. In the event that an organization experiences an adverse cyber incident, logs can greatly assist forensic efforts.

Larger organizations typically can employ a high level of automation to respond to these threats. A sophisticated logging and monitoring program should allow IT and security teams to evaluate when users should interact with the systems and tools and look for anomalies. It will also be necessary for IT and security teams to know the timing of maintenance windows and automated tasks. 

The CISA advisory also contains a robust list of additional mitigations and indicators of compromise (IOCs). 

Stay in Control

Coalition actively monitors for cyber risk to help empower our Policyholders with alerts when using Coalition Control, our cyber risk management platform. Exposed admin panels remain one of our most common alerts and something we will continue to scan and alert our policyholders of this risk. Control is also available to organizations looking to actively monitor their attack surface and help mitigate their cyber risks.

Control presents security findings associated with cyber risks, upfront evidence, age, resolution type, and impacted assets. Users can invite their IT team to Control to further support prompt alert reviews and responses, helping their businesses stay ahead of threat actors. 

Get in Control today.

Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. (“CIS”), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.