{"id":92087,"date":"2023-05-26T06:51:53","date_gmt":"2023-05-26T06:51:53","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4099892"},"modified":"2023-05-26T06:51:53","modified_gmt":"2023-05-26T06:51:53","slug":"microsoft-warns-of-volt-typhoon-latest-salvo-in-global-cyberwar","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=92087","title":{"rendered":"Microsoft warns of Volt Typhoon, latest salvo in global cyberwar"},"content":{"rendered":"<figure id=\"attachment_4099895\" aria-describedby=\"caption-attachment-4099895\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4099895\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/05\/microsoft-warns-of-volt-typhoon-latest-salvo-in-global-cyberwar.jpg\" alt=\"A cyber attack visualization.\" width=\"770\" height=\"433\"><figcaption id=\"caption-attachment-4099895\" class=\"wp-caption-text\">Image: pinkeyes\/Adobe Stock<\/figcaption><\/figure>\n<p>Microsoft\u2019s warning on Wednesday that the China-sponsored actor <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/05\/24\/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques\/\" target=\"_blank\" rel=\"noopener noreferrer\">Volt Typhoon attacked U.S. infrastructure<\/a> put a hard emphasis on presentations by cybersecurity and international affairs experts that a global war in cyberspace is pitting authoritarian regimes against democracies.<\/p>\n<p>Jump to:<\/p>\n<h2 id=\"china\">China\u2019s commitment to cyberwarfare<\/h2>\n<p>Microsoft\u2019s notification pointed out that Volt Typhoon \u2014 which hit organizations in sectors spanning IT, communications, manufacturing, utility, transportation, construction, maritime, government and education \u2014 has been pursuing a \u201cliving off the land\u201d strategy focused on data exfiltration since 2021. The tactic typically uses social engineering exploits like phishing to access networks invisibly by riding on legitimate software. It uses a Fortinet exploit to gain access and uses valid accounts to persist (<strong>Figure A<\/strong>).<\/p>\n<p><strong>Figure A<\/strong><\/p>\n<figure id=\"attachment_4099893\" aria-describedby=\"caption-attachment-4099893\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4099893\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/05\/microsoft-warns-of-volt-typhoon-latest-salvo-in-global-cyberwar.png\" alt=\"Volt Typhoon attack diagram.\" width=\"770\" height=\"282\"><figcaption id=\"caption-attachment-4099893\" class=\"wp-caption-text\">Volt Typhoon attack diagram. Image: Microsoft<\/figcaption><\/figure>\n<p>Nadir Izrael, the chief technology officer and co-founder of the Armis security firm, pointed out that China\u2019s defense budget has been increasing over the years, reaching an estimated <a href=\"https:\/\/www.defensenews.com\/global\/asia-pacific\/2020\/05\/22\/china-announces-1782-billion-military-budget\/\" target=\"_blank\" rel=\"noopener noreferrer\">$178 billion in 2020<\/a>. \u201cThis growing investment has enabled China to build up its cyber capabilities, with more than 50,000 cyber soldiers and an advanced cyberwarfare unit,\u201d he said.<\/p>\n<p>He added that China\u2019s investment in offensive cyber capabilities has created \u201ca global weapon in its arsenal to rattle critical infrastructure across nearly every sector \u2014 from communications to maritime \u2014 and interrupt U.S. citizens\u2019 lives.\u201d He said, \u201cCyberwarfare is an incredibly impactful, cost-effective tool for China to disrupt world order.\u201d<\/p>\n<p>According to Armis, he has been predicting these threats since January after finding that <a href=\"https:\/\/www.armis.com\/cyberwarfare\/\" target=\"_blank\" rel=\"noopener noreferrer\">33% of global organizations are not taking the threat of cyberwarfare threats seriously<\/a>. He has been urging governments and businesses across sectors to start putting in place procedures to counteract these threats.<\/p>\n<p>\u201cAs the world becomes increasingly digitized, cyberwarfare is modern warfare,\u201d Armis said. \u201cThis has to be a wake-up call for the U.S. and western nations.\u201d<\/p>\n<p>At the WithSecure Sphere23 conference in Helsinki, Finland, before this security news had crossed the wires, Jessica Berlin, a Germany-based foreign policy analyst and founder of the consultancy CoStruct, said the U.S., the European Union and other democracies have not awakened to the implications of cyberwarfare by Russia, China and North Korea. She said these countries are engaged in a cybernetic world war \u2014 one that autocracies have the upper hand in because they have fully acknowledged and embraced it and have committed to waging it as such.<\/p>\n<p>She told TechRepublic that tech and security companies could play a key role in awakening citizens and governments to this fact by being more transparent about attacks. She also noted the European Union\u2019s General Data Protection Regulation, which has been in effect for five years, has been a powerful tool for oversight of digital information, data provenance and misinformation on social platforms.<\/p>\n<h2 id=\"cybercrime\">Professionalization of cybercrime lowers bar to entry<\/h2>\n<p>Stephen Robinson, a senior threat intelligence analyst at WithSecure, said the cybercriminal ecosystem\u2019s mirroring of legitimate business has made it easier for state actors and less sophisticated groups to buy what they can\u2019t make. This <a href=\"https:\/\/www.withsecure.com\/content\/dam\/with-secure\/en\/resources\/WS_Professionalisation_of_CyberCrime_EN.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">professionalization of cybercrime<\/a> has created a formal service sector. \u201cThey are outsourcing functions, hiring freelancers, subcontracting; criminal service providers have sprung up, and their existence is industrializing exploitation,\u201d said Robinson.<\/p>\n<p>The success of the criminal as-a-service model is expedited by such frameworks as Tor anonymous data transfer and cryptocurrency, noted Robinson, who delineated some dark web service verticals.<\/p>\n<ul>\n<li><strong>Initial access brokers:<\/strong> These brokers are key because they thrive in the service-oriented model and are enablers. They use whatever method they can to gain access and then offer that access.<\/li>\n<li><strong>Crypter as a service:<\/strong> Crypter is a tool to hide a malware payload. And this, said Robinson, has led to an arms race between malware and antimalware.<\/li>\n<li><strong>Crypto jackers:<\/strong> These actors break into a network and drop software and are often one of the first actors to exploit a server vulnerability. They constitute a low threat yet are a very strong indicator that something has happened or will, according to Robinson.<\/li>\n<li><strong>Malware-as-a-service: <\/strong>Highly technical and with advanced services like support and contracts and access to premium products.<\/li>\n<li><strong>Nation state actors: <\/strong>Nation state actors use the above tools, which enable them to spin up campaigns and access new victims without being attributed.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.withsecure.com\/en\/expertise\/research-and-innovation\/research\/the-professionalization-of-cyber-crime\" target=\"_blank\" rel=\"noopener noreferrer\">WithSecure has a fresh report on multi-point extortion ransomware groups<\/a> that employ several extortion strategies, including encryption, to pressure victims for payments.<\/p>\n<p>The firm\u2019s analysis of more than 3,000 data leaks by these groups showed that organizations in the U.S. were the most targeted victims, followed by Canada, the U.K., Germany, France and Australia.<\/p>\n<p>In addition, the firm\u2019s research showed that the construction industry accounted for 19% of the data leaks; the automotive industry accounted for only 6% of attacks.<\/p>\n<p>\u201cIn pursuit of a bigger slice of the huge revenues of the ransomware industry, ransomware groups purchase capabilities from specialist e-crime suppliers in much the same way that legitimate businesses outsource functions to increase their profits,\u201d said Robinson. \u201cThis ready supply of capabilities and information is being taken advantage of by more and more cyberthreat actors, ranging from lone, low-skilled operators right up to nation state APTs. Ransomware didn\u2019t create the cybercrime industry, but it has really thrown fuel on the fire.\u201d<\/p>\n<p>The firm offered an example that resembled the mass looting of a department store after the door had been left ajar. One organization was victimized by five threat actors, each with different objectives and representing a different type of cybercrime service: the Monti ransomware group, Qakbot malware-as-a-service, the 8220 crypto-jacking gang, an unnamed initial access broker and a subset of Lazarus Group associated with North Korea.<\/p>\n<p>In these incidents, WithSecure threat intelligence reported encountering six distinct examples of the \u201cas a service\u201d model in use in the kill chains observed (<strong>Figure B<\/strong>).<\/p>\n<p><strong>Figure B<\/strong><\/p>\n<figure id=\"attachment_4099894\" aria-describedby=\"caption-attachment-4099894\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4099894\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/05\/microsoft-warns-of-volt-typhoon-latest-salvo-in-global-cyberwar-1.png\" alt=\"Six &quot;as a service&quot; models.\" width=\"770\" height=\"768\"><figcaption id=\"caption-attachment-4099894\" class=\"wp-caption-text\">Six \u201cas a service\u201d models. Image: WithSecure<\/figcaption><\/figure>\n<p>According to the report, this professionalization trend makes the expertise and resources to attack organizations accessible to lesser-skilled or poorly resourced threat actors. The report predicts it is likely the number of attackers and the size of the cybercrime industry will grow in the coming years.<\/p>\n<h2 id=\"how\">How to mitigate Volt Typhoon<\/h2>\n<p>In Microsoft\u2019s report about Volt Typhoon, the company said detecting an activity that uses normal sign-in channels and system binaries requires behavioral monitoring and remediation requires closing or changing credentials for compromised accounts. In these cases, Microsoft suggests that security operations teams should examine the activity of compromised accounts for any malicious actions or exposed data.<\/p>\n<p>To preclude this variety of attacks, Microsoft suggested these tips:<\/p>\n<ul>\n<li>Enforce strong multifactor authentication policies by using hardware security keys, passwordless sign-in and password expiration rules and deactivating unused accounts.<\/li>\n<li>Turn on attack surface reduction rules to block or audit activities associated with this threat.<\/li>\n<li>Enable <a href=\"https:\/\/learn.microsoft.com\/windows-server\/security\/credentials-protection-and-management\/configuring-additional-lsa-protection#BKMK_HowToConfigure\" target=\"_blank\" rel=\"noopener noreferrer\">Protective Process Light for LSASS<\/a> on Windows 11 devices. New enterprise-joined Windows 11 (22H2 update) installs have this feature enabled by default, per the company.<\/li>\n<li>Enable <a href=\"https:\/\/learn.microsoft.com\/windows\/security\/identity-protection\/credential-guard\/credential-guard-manage#enable-windows-defender-credential-guard\" target=\"_blank\" rel=\"noopener noreferrer\">Windows Defender Credential Guard<\/a>, which is turned on by default for organizations using the Enterprise edition of Windows 11.<\/li>\n<li>Turn on <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc\" target=\"_blank\" rel=\"noopener noreferrer\">cloud-delivered protection<\/a> in Microsoft Defender Antivirus.<\/li>\n<li>Run <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/edr-in-block-mode?ocid=magicti_ta_learndoc\" target=\"_blank\" rel=\"noopener noreferrer\">endpoint detection and response in block mode<\/a> so Microsoft Defender for Endpoint can block malicious artifacts.<\/li>\n<\/ul>\n<p> <!-- default newsletter at the end --> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Image: pinkeyes\/Adobe Stock Microsoft\u2019s warning on Wednesday that the China-sponsored actor Volt Typhoon attacked U.S. infrastructure put a hard emphasis on presentations by cybersecurity and international affairs experts that a global war in cyberspace is pitting authoritarian regimes against democracies. Jump to: China\u2019s commitment to cyberwarfare Microsoft\u2019s notification pointed out that Volt Typhoon \u2014 which [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":92088,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[415,40,783,56,696,152,202,434,287],"tags":[],"class_list":["post-92087","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-china","category-cloud","category-cloudsync","category-cybersecurity","category-malware","category-microsoft","category-ransomware","category-russia","category-security"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92087"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92087\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/92088"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}