Not Simon 🐐

Country: People's Republic of China Organization: N/A Objective: Espionage (Page Last Updated: November 19, 2024)

Aliases:

• Volt Typhoon (Microsoft)
• Vanguard Panda (CrowdStrike)
• Bronze Silhouette (Secureworks)
• DEV-0391 (Microsoft)
• UNC3236 (Mandiant)
• UNC5291 (Note: moderate confidence by Mandiant)
• Voltzite (Dragos)
• Insidious Taurus (Unit 42)

Vulnerabilities Exploited

• CVE-2024-39717 (CVSSv3.1: 6.6 medium, in CISA's KEV Catalog) Versa Director Dangerous File Type Upload Vulnerability Source: Lumen
• CVE-2022-42475 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability Source: CISA
• Source: Versa Networks
  • CVE-2023-27997 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
  • CVE-2024-21762 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS Out-of-Bound Write Vulnerability
  • CVE-2023-46805 (CVSSv3.1: 8.2 high, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
  • CVE-2024-21887 (CVSSv3.1: 9.1 critical, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Command Injection Vulnerability

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• November 19, 2024 – Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
• November 12, 2024 – Security Scorecard: The Botnet is Back: SSC STRIKE Team Uncovers a Renewed Cyber Threat
• November 05, 2024 – Bloomberg: Chinese Group Accused of Hacking Singtel in Telecom Attacks (news article, archive link)
• August 27, 2024 – Lumen: Taking the Crossroads: The Versa Director Zero-Day Exploitation
• June 12, 2024 – Natto Thoughts: Who is Volt Typhoon? A State-sponsored Actor? Or Dark Power?
• April 04, 2024 – Mandiant: Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
• March 20, 2024 – ASD ACSC: PRC State-Sponsored Cyber Activity
• February 14?, 2024 – Dragos: VOLTZITE Espionage Operations Targeting U.S. Critical Systems and (7 page PDF)
• February 14, 2024 – Unit 42: Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
• February 07, 2024 – Lumen: KV-Botnet: Don’t call it a Comeback
• February 07, 2024 – CISA:
  • PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
  • Joint Guidance: Identifying and Mitigating Living Off the Land Techiques (PDF)
  • MAR-10448362-1.v1 Volt Typhoon
• January 31, 2024 – U.S. Department of Justice: U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure
• January 31, 2024 – CISA: Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers and (2 page PDF)
• January 11, 2024 – Security Scorecard: Threat Intelligence Research: Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days

2023

• December 13, 2023 – Lumen: Routers Roasting on an Open Firewall: the KV-botnet Investigation
• June 23, 2023 – CrowdStrike: Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft
• May 24, 2023 – Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
• May 24, 2023 – CISA: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
• May 24, 2023 – Secureworks: Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat