from the fact-is-becoming-more-like-fiction dept.
https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
Volt Typhoon is being hunted by the Five Eyes partnership after attacking critical infrastructure in Guam and other locations. NSA is leading U.S. and Five Eyes partner agencies in publicly releasing the "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" Cybersecurity Advisory (CSA) today. The partner agencies include:
• U.S. Cybersecurity and Infrastructure Security Agency (CISA)
• U.S. Federal Bureau of Investigation (FBI)
• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK)"For years, China has conducted operations worldwide to steal intellectual property and sensitive data from critical infrastructure organizations around the globe," said Jen Easterly, CISA Director.
[...] One of the actor's primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor's commands along with detection signatures to aid network defenders in hunting for this activity.
(Score: 3, Interesting) by RamiK on Tuesday May 30 2023, @07:14PM
Hang 'em!
Really now, that pdf is basically describing a script kiddie copy-pasting off a how-to-manual they got at some (Chinese?) after-school "cyber" course... Like, I've seen this sort of scripting in vendor software for rockchip SoCs and the likes... I mean, I won't be surprised if all of this traces back to some $20 kit floating around in whatever passes for TOR in China.
compiling...
(Score: 1) by namefags_are_jerks on Tuesday May 30 2023, @07:52PM
Again I'm getting the warm fuzzies from someone bringing the Old mid-1980s Cracker Ways into the current age... In essence, "LOTL" is exactly what Marcus Hess got up too.
(Score: 2) by looorg on Tuesday May 30 2023, @09:36PM (2 children)
Volt Typhoon, that is a cartoon villains name if I ever heard one before. He controls the weather with electricity?
(Score: 2) by NateMich on Tuesday May 30 2023, @09:49PM (1 child)
He's either a jet fighter, or an X-Men character.
(Score: 3, Funny) by Opportunist on Wednesday May 31 2023, @09:21AM
Cold also be a breakfast cereal.
(Score: 1) by Runaway1956 on Tuesday May 30 2023, @11:04PM (6 children)
Doesn't seem to mean what it used to mean. When you're fighting off wild dogs, coyotes, badgers, skunks and such to eat the food they wanted, THEN you are 'living off the land'.
(Score: 3, Interesting) by Mykl on Wednesday May 31 2023, @12:27AM (2 children)
The mental image that came to mind when I read the headline was the Unabomber.
I have never heard the term "Living off the Land" used in an IT context before. Sounds like a bunch of crap - all hackers use internal tools on a compromised system to an extent.
(Score: 2, Disagree) by zocalo on Wednesday May 31 2023, @07:14AM
"Living of the Land" was a new one in this context to me as well. Apparently, it's a file-less attack-vector, that is to say you only use the resources and tools available to you on the target system, without downloading any additional malware or other tools to disk (into system memory is OK), and ideally not generating any unusual system logs as everything initially looks like legit OS behaviour. Basically, relying on a lot of obscure/low-level system management tools and command shells, which sounds like the cracking equivalent of playing an FPS on the extremely hard setting; not necessarily required, but impressive as fsck if you are good at it.
UNIX? They're not even circumcised! Savages!
(Score: 2, Informative) by lars_stefan_axelsson on Wednesday June 07 2023, @01:58PM
No, the term has been in use for quite some time now. Here's e.g. a whitepaper from Symantec from 2019: https://docs.broadcom.com/doc/living-off-the-land-turning-your-infrastructure-against-you-en [broadcom.com]
Stefan Axelsson
(Score: 2) by coolgopher on Wednesday May 31 2023, @01:38AM (1 child)
A good farmer keeps the ferals away without a fight. I hear fences are new cool invention :D
(Score: 4, Funny) by Opportunist on Wednesday May 31 2023, @09:25AM
Oh you kids with your newfangled intrusion prevention systems.
(Score: 2) by Opportunist on Wednesday May 31 2023, @09:23AM
Considering he's fighting off the Five Eyes over their surveillance network... yeah, I guess the comparison is apt.