Palo Alto Reveals How To Beat Volt Typhoon Attacks Targeting Asian Vital Infrastructure

JAKARTA - Last week, Microsoft launched the discovery of malicious activity targeting vital infrastructure by Volt Typhoon, a Chinese-sponsored bad actor.

In its discovery, Microsoft discovered the hacker who has been active since 2021 using a Living-Off-Lotland (LotL) cyberattack. This technique involves attackers by utilizing devices on systems that have been compromised to carry out attacks.

The devices include PowerShell, WMI, a command-line interface, and batch files. Volt Typhoon is known to target developing capabilities that could disrupt important communication infrastructure between the United States (US) and the Asian region.

LotL attacks that usually consist of three phases. First at the reconnaissance stage, attackers gather information about compromised systems, including system architecture, software versions, network configurations, and user privilege.

"This can help identify the most potential exploits, weaknesses and routes," said Vice President and Regional Chief Security Officer for Asia Pacific & Japan, Palo Alto Networks, Sean Duca in a statement received by VOI, Tuesday, May 30.

Second, Duca explained, during the initial access phase, violations occur due to vulnerabilities in network devices or unsafe user activity, such as visiting malicious websites, opening phishing emails, or using infected USB. All these activities have been compromised by malicious filesless scripts.

Third, the execution of malicious activity involves increasing the privilege, data exfiltration, and modification of the system configuration. This operation focuses on avoiding the radar'' of the security system scanner properly, so that the hacker's goal can be achieved.

"Both companies, governments, and core infrastructure providers need to revise their cybersecurity strategy to address increasingly sophisticated threats, by integrating host and network-based defense," Duca said. But on the other hand, network-based defense can examine unexpected traffic and communication patterns.

"So, the most effective strategy is to use endpoint and network-based defense simultaneously, to use the insights of one system to improve other systems and work together to better protect organizations," Duca explained.

At the end user level, by implementing the application whitelisting, users can ensure that only apps are approved and trusted to operate on the network. This proactive action limits the execution of unauthorized programs or scripts, reducing the risk of LOtL attacks.

LotL strikers are also exploiting vulnerabilities found in older versions of software to gain authentic access.

"Therefore, automatic scanning and system updates across the network are very important to minimize risks," said Duca.

"In addition, by using advanced AI-capable access management solutions, cybersecurity experts can focus more on intelligence and automation while allowing these solutions to manage information and events, thus enabling very fast detection and response times and almost real-time," he added.