Botnet’s back, tell a friend. [Research Saturday]

Dave Bittner

You're listening to the Cyberwire Network, powered by N2K.

Silas Cutler

Risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real time risk workflows, and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of Smarter compliance. Visit www.hyperproof.IO to see how leading teams are transforming their GRC programs. Hello everyone and welcome to the Cyberwires Research Saturday. I'm DAV Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner

And as we kind of evaluated it more and more, it's started to become clear that it looks like the the activity that is the KD Net side likely may be a different actor or an actor working in direct support of Volt Typhoon. But it's a difference that likely a different set of hands on keyboard operators than those who are actually living off the land against high value targets.

Silas Cutler

That's Silas Cutler, principal security researcher at Census. The research we're discussing today is titled Will the Real Volt Typhoon Please Stand. Well, let's back up just a little bit. And for folks who aren't following it too closely, how do you describe Volt Typhoon themselves?

Dave Bittner

Yeah, so Volt Typhoon generally believed to be a threat actor that operates from the People's Republic of China. They have incredibly interesting tradecraft they've gone after and there was a report that came out a while ago from Microsoft, I believe, about Volt Typhoon conducting an intrusion into an organization in Guam. Unlike a lot of threat actors who rely on pieces of malware to maintain persistent access to a target, this group operates almost entirely manually, living off the land and using native available tools in order to accomplish their objectives and dig deep into these networks.

Silas Cutler

Well, speaking of deep dives, I mean you all took a deep dive into their recent activity. What was the first indication to you all that something had changed, that something new was happening?

Dave Bittner

The thing that we've kind of tracked pretty closely as part of this group is with their first stage malware tooling the side that is part of that non attribution layer that they use before going after a target. The KV malware itself, the first stage server that it communicates to has a distinct SSL certificate. So that ensures that the client and server able to talk through encrypted communication. Following FBI disruption last year. Usually that's a good time for an actor to change up their tooling, regenerate certificates and try and throw researchers off their tail. But with this group it seemed that they didn't. The certificate that they used had been consistent since pre FBI disruption and has been the way that we've been able to follow a lot of their servers since they were first exposed.

Silas Cutler

Well, what do you make of that? That there weren't those changes that folks in your position kind of come to expect?

Dave Bittner

Yeah, and I mean it's the type of thing that we expect also for actors who are reading the same, reading our blogs when we post them, or reading blogs and Twitter posts from other folks in the security space. It's the type of thing that folks see, know that people are tracking on it and in order to maintain their own security and prevent disruption or network blocking and things like that, they'll make these changes in order to try and evade the existing detection rules that are out there. Typically this type of thing. It's a fascinating spot because you'll find actors who may not make a change for several weeks in order to make it appear that they didn't notice or to try and have that plausible deniability of oh no, that was never my control server. But then you'll get the actors and sometimes on the more lower skill side where they'll almost immediately react and tear everything down, which is a good sign that you landed on something important of theirs. But with this group it seems it's very odd because they have the techniques and they are at a skill level where they can respond well. So the working theory that a couple of us have been talking about has been that potentially this is a contract type entity where they're maintaining and building the non attribution side with KB Botnet separate from the operators who are actually conducting the hands on keyboard activity. And as a result, when you have a contract it may specify something like yeah, you won't make any distinctive changes for a year and a half or whatever the duration of the contract is. So it's possible that these changes haven't been made because they are a government contractor somewhere in China and it is not within the scope of their contract to make the changes.

Silas Cutler

That's really interesting. I mean, so it's kind of a, it could be a practical thing rather than say swagger.

Dave Bittner

Oh absolutely. And of course this is just Ethereum. There's, there's a lot more. We'll need to fully confirm it and to dig forward, but I'm hopeful that we'll see some more things in the future because this is a group that likely isn't going away anytime soon.

Silas Cutler

Well, part of your investigation was identifying the servers that were connected to Vault Typhoon. Can you walk us through that process of how you and your team were able to narrow those down?

Dave Bittner

So at Census we do continuous scanning of the Internet, so looking for things like the SSL certificates that websites are using. Those are really important key indicators and things that we look for in terms of being able to track and identify related sets of infrastructure. And when we started looking at this back at some of the servers back from 2023, we noticed that they almost exist in pairs. So there was a set of servers over under the Chupa asn We saw in December those servers were shut down and it looks like they migrated over to DigitalOcean and then finally in December hopping once again back to Chupa. So a lot of the way we've been watching it is through essentially the outer hallmarks of what their control servers look like and what services they expose and what. And sort of you can think of it almost like their external facing fingerprint on the Internet.

Silas Cutler

Yeah, I mean for folks who are interested in this kind of research, can you give us some insights as to like, what are the things that you can glean from these sorts of observations and what on the other hand, what stays opaque to you?

Dave Bittner

Oh, so there's a lot of things that are really cool in the space and some of these things are what got me really interested in scanning initially. So not necessarily in the case of Volt Typhoon here, but when we start looking at the external fingerprints of what attackers infrastructure looks like on the Internet, there's things that we can normally find fairly easily, things like Cobalt Strike. A lot of the open source control server frameworks like sliver and infrastructure is expensive. So actors run multiple services. Sometimes we'll see Cobalt Strike and metasploit running on the same server. And then there's cases where actors make mistakes like everyone else and they leave a web directory exposed containing tools that they were intending only to be downloaded by infected systems as part of an automated process. And so from our visibility we're able to see a lot of these really cool structures of how attackers set up their infrastructure and at times where they start to make mistakes, which give us incredible visibility into how some of those things are structured. The challenge of course is there's much that we can't see. So things are behind firewalls within internal networks. So the actual who's connecting to attack control servers that's often something that we don't necessarily see from our visibility, but we can at least help to find where to go looking for for organizations that are looking to protect against this.

Silas Cutler

Yeah. While you all were in the depths of this research, was there anything that popped up that was unexpected or surprising? Anything that really stood out to you?

Dave Bittner

So one of the things that I noted pretty early on was it looks like for a lot of the KB first stage control servers, they were hosting these primarily within the U.S. so they were relying on U.S. providers, which I can understand and I can theorize on some reasons why they might do that from say, an operational security perspective, potentially worrying that if they place their servers in a foreign country that all of this traffic may end up as a signal that something suspicious is going on, potentially enabling government, like the US Government to use national security controls against it. So it was interesting to see at least that level of potential forethought into where they're placing their control servers. But it was surprising that even after law enforcement was able to conduct an operation to disrupt some of these servers, that they still continued to maintain these servers within the US instead of moving to, say, somewhere like the UK or another friendly country.

Silas Cutler

We'll be right back. Did you know Active Directory is targeted in 9 out of 10 cyber attacks? Once attackers get in, they can take control of your entire network. That's why Semperis created Purple Knight, the free security assessment tool that scans your active directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Night to stay ahead of threats. Download it now at cempras.com purple-knight that's sempris.com purple-knight and now a word from our sponsor. Spy Cloud identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwatch and see what attackers already know. That's spycloud.com cyberwire. You know, when we're talking about attribution, attribution can be notoriously difficult. What's your level of confidence that these activities are indeed Volt Typhoon?

Dave Bittner

Yeah, that's a great question. I like to say that all threat intelligence is iterative. So inherently the findings that we have are built on the findings of others. A lot of the information that we have about Vault Typhoon and I can't say enough good things about the research team at Lumen. They've done incredible work on detailing a number of different campaigns from the KB botnet and looking at a number of this sort of different sub botnets within it and how those operate. So a lot of our analysis building upon things from Lumen and then before that things from Microsoft. So as we've all continued to look at these things, there's been distinctive overlaps in terms of tradecraft that we're seeing from other groups, groups like Flax Typhoon and Salt Typhoon where they're using similar sets of sort of like operational design. So using these non attribution networks built on exploitation of vulnerable SOHO devices, vulnerable VPN devices to use as hop points in order to move against their actual targets. And while that's not necessarily exclusive to China Theme, it is one that has been really, really interesting to watch develop as part of their offensive ecosystem over the past year. I was incredibly impressed with something that I saw a couple days ago in some of the reporting on Flax Typhoon where the FBI had found a patent in the Chinese patent database for Flax Typhoon which became one of those evidence pieces they used to kind of link finally to the Integrity Tech group, which I believe that's the name for Flax Typhoon.

Silas Cutler

Wow, that's interesting. I don't know that a patent database was a place I would have thought about searching around for. Isn't that fascinating?

Dave Bittner

It was not on my bingo card and I have spent hours, hours now looking at similar patents and trying to learn how to properly read patents.

Silas Cutler

Yeah, that's really interesting. Do groups like this, I mean looking at Volt Typhoon specifically, but also in general to what degree are they trying to cover their tracks?

Dave Bittner

It seems like a lot of it is trying to cover their tracks. So especially with using these non attribution networks, it is a really key way for them to avoid some of the I see this some of the more like historic operational security mistakes that have been made. When I first started doing threat intelligence research, I worked with a gentleman named Joe Stewart from SecureWorks and he had just put out a blog post on something called htran which was a proxy tool that had a unfortunate vulnerability in it for lack of better description, where similar type setup where an attacker would be able to set up htran on a potentially on a US server route infected systems to call back to that US server and then it would redirect the traffic behind the scenes to wherever they were in China. But unfortunately if they shut down their home computer or turned off wherever their system was in China or wherever they're working, it would send an error message back to the infected system saying hey, the IP address you're trying to connect to is not available and it would be the attacker's true IP address.

Silas Cutler

Oh my.

Dave Bittner

So it was a horrible, horrible operational security leak for them for a while. And I built a number of systems just to keep hunting for those really cool tidbits. But using something like this, where they're moving to breaching VPN appliances and SOHO routers as a means of building out these networks show a lot more operational maturity and something that is a time tested practice and something that is a little bit more resilient to a lot of the mistakes of the past. It still carries risk because they're using sort of a common tool, this being KB Botnet across these devices. So there is the linkage of being able to say it's likely a common party all using these things, but it still avoids some of the traditional pitfalls.

Silas Cutler

To what degree do you think folks, and I'm thinking of business leaders here, should they be concerned about Volt Typhoon? Is this a nation state espionage concern or to what degree does it trickle down to the day to day thoughts of someone who's running an organization?

Dave Bittner

Yeah, so guidance from folks like cisa, the National Security Agency here in the US have talked about this being distinctly espionage related and having, having national security level concerns, which for business leaders may not be something they feel is directly within their scope to manage. But there's kind of two interesting folds to this. So if you're a critical infrastructure provider or working in water treatment or any critical sector, there is a possibility that they may be targeted for the more espionage related purposes. But even for organizations that have a presence on the Internet are using SOHO routers and VPN appliances and many most standard technology, it's important to make sure that those devices are keeping are being kept up to date with patches and best security practices. Because inherently it's possible that they may be used or leveraged unwillingly to support Volt Typhoon or another Typhoon as part of one of their attacks, which can be a massive headache for an organization to deal with because they'd be in the position of both having to do forensics to identify what happened as well as try and assist with another significant incident going on.

Silas Cutler

What are the key takeaways you want folks to get from this particular research.

Dave Bittner

Yeah. So especially for the research community, there's a lot that I think we need to look at in terms of trying to better divide out these sets and lay out our attribution in a more clear, concise way across the industry. So for Volt Typhoon, it's one of those actors that's incredibly difficult to really pin down because the activity that we see against their core targets, the critical infrastructure, they use very few tools that are uniquely attributable to them. And so they are a difficult actor to pin down, but it's one that has real national security consequences and that we need to be on the forefront of tracking incredibly closely. And that's going to require a lot of information sharing and folks being willing to talk about their assessments, right or wrong, and work on them together.

Silas Cutler

Our thanks to Silas Cutler from Census for joining us. The research is titled Will the Real Volt Typhoon Please Stand Up? We'll have a link in the show Notes. That's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. I'm Dave Buettner. Thanks for listening. We'll see you back here next time. Hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.