Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday May 30, @06:53PM   Printer-friendly
from the fact-is-becoming-more-like-fiction dept.

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

Volt Typhoon is being hunted by the Five Eyes partnership after attacking critical infrastructure in Guam and other locations. NSA is leading U.S. and Five Eyes partner agencies in publicly releasing the "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" Cybersecurity Advisory (CSA) today. The partner agencies include:

• U.S. Cybersecurity and Infrastructure Security Agency (CISA)
• U.S. Federal Bureau of Investigation (FBI)
• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK)

"For years, China has conducted operations worldwide to steal intellectual property and sensitive data from critical infrastructure organizations around the globe," said Jen Easterly, CISA Director.

[...] One of the actor's primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor's commands along with detection signatures to aid network defenders in hunting for this activity.


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by RamiK on Tuesday May 30, @07:14PM

    by RamiK (1813) on Tuesday May 30, @07:14PM (#1308932)

    Hang 'em!

    Really now, that pdf is basically describing a script kiddie copy-pasting off a how-to-manual they got at some (Chinese?) after-school "cyber" course... Like, I've seen this sort of scripting in vendor software for rockchip SoCs and the likes... I mean, I won't be surprised if all of this traces back to some $20 kit floating around in whatever passes for TOR in China.

    --
    compiling...
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3