[Tech-l] FW: AMBER - Cybersecurity Advisory - Chinese APT Activity Summary

Thor Sage sage at mveca.org
Fri Sep 29 13:50:48 EDT 2023 

Sharing below and attached advisory.

Thor Sage
Executive Director
Miami Valley Educational Computer Association
937-767-1468  x3101
[http://www.mveca.org/images/logo.gif]<http://www.mveca.org/>       [i] <https://www.linkedin.com/company/mveca/>
Not-for-profit Technology Services for Education and Local Governments


From: Burner, Jillian <jburner at OhioSOS.Gov>
Sent: Friday, September 29, 2023 12:03 PM
Subject: TLP: AMBER - Cybersecurity Advisory - Chinese APT Activity Summary

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Cybersecurity Advisory - September 29, 2023

NOTICE: TLP:AMBER UNCLASSIFIED//FOR OFFICIAL USE ONLY



An international joint advisory was recently published (attached) that highlights activity associated with a People's Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon. This activity uses "living off the land" techniques (a cyberattack where the attacker uses native, legitimate tools in the victim's system to sustain and advance an attack) that evade detection by utilizing tools and software that are built into Windows.



To detect the activity described in the attached advisory, the audit policy for Windows security logs must include "audit process creation" and "include command line in process creation events." Otherwise, default logging configurations may not provide the necessary information to identify malicious activity.

A robust logging framework greatly impedes a threat actor's ability to cover their tracks. To ensure log integrity and availability, log files should be forwarded to a hardened centralized logging server, preferably on a segmented network.

CISA recommends that agencies prioritize logging for high value asset (HVA) systems, high impact systems, and the enterprise IT network (specifically identity providers like Azure Active Directory or Active Directory). Additionally, agencies should prioritize internet-accessible systems (e.g., web applications) and systems that interact with the internet regularly (e.g., devices from which users access email or browse the internet and DMZ network).
Action Steps:

·         Read the attached advisory

·         Validate logging is enabled based on "Logging Recommendations" in attached advisory

·         Forward log files to a hardened, centralized logging server, preferably on a segmented network

·         Enforce the principle of least privilege

·         Turn on MFA

References:

·         https://www.cisa.gov/sites/default/files/2023-02/TLP%20CLEAR%20-%20Guidance%20for%20Implementing%20M-21-31_Improving%20the%20Federal%20Governments%20Investigative%20and%20Remediation%20Capabilities_.pdf

·         https://www.crowdstrike.com/cybersecurity-101/living-off-the-land-attacks-lotl/


Questions? Please contact your Cyber Liaison or CDT at cyberdefenseteam at OhioSOS.Gov<mailto:cyberdefenseteam at OhioSOS.Gov>.


Thank you.



TLP:AMBER
UNCLASSIFIED//FOR OFFICIAL USE ONLY

NOTICE: The following document is not subject to disclosure as a public record pursuant to R.C. §149.433.  DO NOT DISCLOSE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20230929/9d8c3d2a/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3184 bytes
Desc: image001.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20230929/9d8c3d2a/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1229 bytes
Desc: image002.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20230929/9d8c3d2a/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CSA_PRC_State_Sponsored_Cyber_Living_off_the_Land_v1.1.PDF
Type: application/pdf
Size: 740764 bytes
Desc: CSA_PRC_State_Sponsored_Cyber_Living_off_the_Land_v1.1.PDF
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20230929/9d8c3d2a/attachment-0001.pdf>

More information about the Tech-l mailing list