Botnet’s back, tell a friend. [Research Saturday]

Dave Bittner

You're listening to the Cyberwire network powered by N2K. And now a message from Blackcloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Blackcloak's award winning digital executive protection platform secures their personal devices, home networks and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24 7, 365 with Black Cloak. Learn more at BlackCloak IO. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Silas Cutler

And as we kind of evaluated it more and more, it's started to become clear that it looks like the activity that is the KD Net side likely may be a different actor or an actor working in direct support of Volt Typhoon, but it's a different set, likely a different set of hands on keyboard operators than those who are actually living off the land against high value targets.

Dave Bittner

That's Silas Cutler, principal security researcher at Census. The research we're discussing today is titled Will the Real Volt Typhoon Please Stand. Well, let's back up just a little bit. And for folks who aren't following it too closely, how do you describe Volt Typhoon themselves?

Silas Cutler

Yeah, so Volt Typhoon generally believed to be a threat actor that operates from the People's Republic of China. They have incredibly interesting trade craft they've gone after. And there was a report that came out a while ago from Microsoft, I believe, about Volt Typhoon conducting an intrusion into an organization in Guam. Unlike a lot of threat actors who rely on pieces of malware to maintain persistent access to a target, this group operates almost entirely manually, living off the land and using native available tools in order to accomplish their objectives and dig deep into these networks.

Dave Bittner

Well, speaking of deep dives, I mean, you all took a deep dive into their recent activity. What was the first indication to you all that something had changed, that something new was happening?

Silas Cutler

The thing that we've kind of tracked pretty closely as part of this group is with their first stage malware tooling the side that is part of that non attribution layer that they use before going after a target, the KB malware itself, the first stage server that it Communicates to has a distinct SSL certificate. So that ensures that the client and server are able to talk through encrypted communication. Following FBI disruption last year, usually that's a good time for an actor to change up their tooling, regenerate certificates and try and throw researchers off their tail. But with this group it seemed that they didn't. The certificate that they used had been consistent since pre FBI disruption and has been the way that we've been able to follow a lot of their servers since they were first exposed.

Dave Bittner

Well, what do you make of that? That there weren't those changes that folks in your position kind of come to expect?

Silas Cutler

Yeah, and I mean it's the type of thing that we expect also for actors who are reading the same, reading our blogs when we post them, or reading blogs and Twitter posts from other folks in the security space, it's the type of thing that folks see know that people are tracking on it. And in order to maintain their own security and prevent disruption or network blocking and things like that, they'll make these changes in order to try and evade the existing detection rules that are out there. Typically this type of thing. It's a fascinating spot because you'll find actors who may not make a change for several weeks in order to make it appear that they didn't notice or to try and have that plausible deniability of oh no, that was never my control server. But then you'll get the actors and sometimes on the more lower skill side where they'll almost immediately react and tear everything down, which is a good sign that you landed on something important of theirs. But with this group it seems it's very odd because they have the techniques and they are at a skill level where they can respond well. So the working theory that a couple of us have been talking about has been that potentially this is a contract type entity where they're maintaining and building the non attribution side with KB Botnet separate from the operators who are actually conducting the hands on keyboard activity. And as a result, when you have a contract it may specify something like yeah, you won't make any distinctive changes for a year and a half or whatever the duration of the contract is. So it's possible that these changes haven't been made because they are a government contractor somewhere in China and it is not within the scope of their contract to make the changes.

Dave Bittner

That's really interesting. I mean, so it's kind of a, it could be a practical thing rather than say swagger.

Silas Cutler

Oh absolutely. And of course this is Just a theory and there's, there's a lot more we'll need to fully confirm it and to dig forward. But I'm hopeful that we'll, we'll see some more things in the future because this is a group that likely isn't going away anytime soon.

Dave Bittner

Well, part of your investigation was identifying the servers that were connected to Vault Typhoon. Can you walk us through that process of how you and your team were able to narrow those down?

Silas Cutler

So at Census we do continuous scanning of the Internet. So looking for things like the SSL certificates that websites are using, those are really important key indicators and things that we look for in terms of being able to track and identify related sets of infrastructure. And when we started looking at this back at some of the servers back from 2023, we noticed that they almost exist in pairs. So there was a set of servers over under the Chupa ASN we saw in December those servers were shut down and it looks like they migrated over to DigitalOcean and then finally in December hopping once again back to Chupa. So a lot of the way we've been watching it is through essentially the outer hallmarks of what their control servers look like and what services they expose and what. And sort of you can think of it almost like their external facing fingerprint on the Internet.

Dave Bittner

Yeah, I mean, for folks who are interested in this kind of research, can you give us some insights as to like, what are the things that you can glean from these sorts of observations and what on the other hand, what stays opaque to you?

Silas Cutler

Oh, so there's a lot of things that are really cool in the space and some of these things are what got me really interested in scanning initially. So not necessarily in the case of Volt Typhoon here, but when we start looking at the external fingerprints of what attackers infrastructure looks like on the Internet, there's things that we can normally find fairly easily, things like Cobalt Strike. A lot of the open source control server frameworks like Sliver and infrastructure is expensive. So actors run multiple services. Sometimes we'll see Cobalt Strike and Metasploit running on the same server. And then there's cases where actors make mistakes like everyone else and they leave a web directory exposed containing tools that they were intending only to be downloaded by infected systems as part of an automated process. And so from our visibility, we're able to see a lot of these really cool structures of how attackers set up their infrastructure and at times where they start to make mistakes, which give us incredible visibility into how some of those things are structured. The Challenge, of course, is there's much that we can't see. So things are behind firewalls within internal networks. So the actual who's connecting to attack control servers, that's often something that we don't necessarily see from our visibility, but we can at least help to find where to go looking for for organizations that are looking to protect against this.

Dave Bittner

Yeah. While you all were in the depths of this research, was there anything that popped up that was unexpected or surprising? Anything that really stood out to you?

Silas Cutler

So one of the things that I noted pretty early on was it looks like for a lot of the KV first stage control servers, they were hosting these primarily within the U.S. so they were relying on U.S. providers, which I can understand and I can theorize on some reasons why they might do that from, say, an operational security perspective, potentially worrying that if they place their servers in a foreign country, that all of this traffic may end up as a signal that something suspicious is going on, potentially enabling government, like the US government to use national security controls against it. So it was interesting to see at least that level of potential forethought into where they're placing their control servers. But it was surprising that even after law enforcement was able to conduct an operation to disrupt some of these servers, that they still continued to maintain these servers within the US instead of moving to, say, somewhere like the UK or another friendly country.

Dave Bittner

We'll be right back. Cyber threats are evolving every second. And staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door, the login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today. You know, when we're talking about attribution, attribution can be notoriously difficult. What's your level of confidence that these activities are indeed Volt Typhoon?

Silas Cutler

Yeah, that's a great question. So I like to say that all threat intelligence is iterative. So inherently the findings that we have are built on the findings of others. A lot of the information that we have about Vault Typhoon and I can't say enough good things about the research team at Lumen. They've done incredible work on detailing a number of different campaigns from the KB botnet and looking at a number of the sort of different sub botnets within it and how those operate. So a lot of our analysis building upon things from Lumen and then before that things from Microsoft. So as we've all continued to look at these things, there's been distinctive overlaps in terms of tradecraft that we're seeing from other groups, groups like Flax Typhoon and Salt Typhoon where they're using similar sets of sort of like operational design. So using these non attribution networks built on exploitation of vulnerable SOHO devices, vulnerable VPN devices to use as hot points in order to move against their actual targets. And while that's not necessarily exclusive to China theme, it is one that has been really, really interesting to watch develop as part of their offensive ecosystem over the past year. I was incredibly impressed with something that I saw a couple days ago in some of the reporting on Flax Typhoon where the FBI had found a patent in the Chinese patent database for Flax Typhoon, which became one of those evidence pieces they used to link finally to the Integrity Tech group, which I believe that's the name for Flax Typhoon.

Dave Bittner

Wow, that's interesting. I don't know that a patent database was a place I would have thought about searching around for. Isn't that fascinating?

Silas Cutler

It was not on my go card and I have spent hours now looking at similar patents and trying to learn how to properly read patents.

Dave Bittner

Yeah, that's really interesting. Do groups like this, I mean looking at Volt Typhoon specifically, but also in general, to what degree are they trying to cover their tracks?

Silas Cutler

It seems like a lot of it is trying to cover their tracks. So especially with using these non attribution networks, it is a really key way for them to avoid some of the I see as some of the more like historic operational security mistakes that have been made. When I first started doing threat intelligence research, I worked with a gentleman named Joe Stewart from SecureWorks and he just put out a blog post on something called htran which was A proxy tool that had a unfortunate vulnerability in it, for lack of better description, where similar type setup where an attacker would be able to set up htran on a potentially on a US server, route infected systems to call back to that US server and then it would redirect the traffic behind the scenes to wherever they were in China. But unfortunately if they shut down their home computer or turned off wherever their, their system was in China or wherever they're working, it would send an error message back to the infected system saying hey, the IP address you're trying to connect to is not available and it would be the attacker's true IP address.

Dave Bittner

Oh my.

Silas Cutler

So it was a horrible, horrible operational security leak for, for a while. And I built a number of systems just to keep hunting for those really cool tidbits. But using something like this where they're moving to breaching VPN appliances and SOHO routers as a means of building out these networks show a lot more operational maturity and something that is a time tested practice and something that is a little bit more resilient to a lot of the mistakes of the past. It still carries risk because they're using sort of a common tool, this being KB Botnet across these devices. So there is the linkage of being able to say it's likely a common party all using these things, but it still avoids some of the traditional pitfalls.

Dave Bittner

To what degree do you think folks, and I'm thinking of business leaders here, should they be concerned about Volt Typhoon? Is this a nation state espionage concern or to what degree does it trickle down to the day to day thoughts of someone who's running an organization?

Silas Cutler

Yeah. So guidance from folks like cisa, the National Security Agency here in the US have talked about this being distinctly espionage related and having having national security level concerns, which for business leaders may not be something they feel is directly within their scope to manage. But there's kind of two interesting folds to this. So if you're a critical infrastructure provider or working in water treatment or any critical sector, there is a possibility that they may be targeted for the more espionage related purposes. But even for organizations that have a presence on the Internet or using SOHO routers and VPN appliances and many most standard technology, it's important to make sure that those devices are being kept up to date with patches and best security practices because inherently it's possible that they may be used or leveraged unwillingly to support Volt Typhoon or another Typhoon as part of one of their attacks, which can be a massive headache for an organization to deal with because they'd be in the position of both having to do forensics to identify what happened as well as try and assist with another significant incident going on.

Dave Bittner

What are the key takeaways you want folks to get from this particular research?

Silas Cutler

Yeah, so especially for the research community, there's a lot that I think we need to look at in terms of trying to better divide out these sets and lay out our attribution in a more clear, concise way across the industry. So for Volt Typhoon, it's one of those actors that's incredibly difficult to really pin down, because the activity that we see against their core targets, the critical infrastructure, they use very few tools that are uniquely attributable to them. And so they are a difficult actor to pin down, but it's one that has real national security consequences and that we need to be on the forefront of tracking incredibly closely. And that's going to require a lot of information sharing and folks being willing to talk about their assessments, right or wrong, and work on them together.

Dave Bittner

Our thanks to Silas Cutler from Census for joining us. The research is titled Will the Real Volt Typhoon Please Stand Up? We'll have a link in the show Notes. That's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. I'm Dave Bittner. Thanks for listening. We'll see you back here next.