In the increasingly complex world of cybersecurity, Rupert Marais stands out as a leading figure in the field of endpoint and device security, cybersecurity strategies, and network management. With a career dedicated to understanding and mitigating cyber threats, Rupert has been at the forefront of tackling sophisticated cyber campaign tactics like the recently discovered Typhoon-like operation. This interview presents Rupert’s insights into the nature of the operation and offers expert perspectives drawn from his extensive experience.
Can you explain the purpose of the Typhoon-like campaign as discovered by SecurityScorecard?
The Typhoon-like campaign is primarily focused on gaining prolonged access to networks. It’s very much in line with the tactics seen from China’s ‘Typhoon’ crews. The attackers are using compromised devices to create an Operational Relay Box network, allowing traffic to move covertly and making it difficult for victims to detect the infiltration in real-time.
Who are the primary targets of the cyberattacks tied to this campaign?
The campaign mainly targets end-of-life routers, IoT devices, internet-connected security cameras, virtual servers, and other small office/home office devices. These are crucial components for building their ORB network. Victims also include internet service providers, hardware vendors, and sectors like IT, real estate, and media. This diverse range indicates a meticulous strategy to exploit vulnerabilities across various industries.
How does employing Operational Relay Boxes benefit the attackers?
Operational Relay Boxes are advantageous for attackers because they provide a means to route attack traffic through what appear to be local IP addresses. This local guise drastically reduces the chances of detection. This technique is especially prevalent among nation-state adversaries, helping them obfuscate their operations and appear as though the threat originates within the geographical proximity of their targets.
Which regions have been most affected by this campaign?
The campaign has compromised at least 1,000 devices, mostly located in the US and Southeast Asia. Notably, significant clusters of infected devices have been found in countries like Japan, South Korea, Taiwan, and Hong Kong, with these regions comprising about 90 percent of the ORB network.
Could you elaborate on the relationship between Volt Typhoon, Salt Typhoon, and this campaign?
The connection between Volt Typhoon and Salt Typhoon lies in the tactic similarity. Both groups are notorious for using ORBs as a covert transfer network. While SecurityScorecard hasn’t definitively attributed this campaign to a specific Chinese group, the techniques align with those seen in operations conducted by these Typhoon crews.
What does the fraudulent TLS certificate, allegedly signed by the LAPD, signify in terms of attacker strategies?
Using a phony TLS certificate signed by the City of Los Angeles Police Department is a crafty way to introduce legitimacy to the malicious traffic. This tactic illustrates the attackers’ sophisticated approach to appearing credible while simultaneously attempting to fly under the radar of security measures that often rely on certificate validation.
Which vulnerabilities have been exploited in the LapDogs network, and how?
The attackers have targeted older and unpatched devices, with two specific vulnerabilities standing out: CVE-2015-1548 and CVE-2017-17663. These are found in older versions of ACME mini_httpd. CVE-2015-1548 allows remote attackers to snatch sensitive information from process memory, while CVE-2017-17663 is a buffer overflow vulnerability that can lead to remote code execution.
What function does the ShortLeash backdoor serve in retaining access?
ShortLeash is crucial because it facilitates long-term accessibility for attackers. Once deployed, ShortLeash offers a consistent entry point into the compromised devices, enabling the attackers to sustain their control and potentially expand their operations within the network.
How does ShortLeash achieve persistent access on infected machines?
ShortLeash persists by embedding itself deeply within the operating system. It utilizes a startup Bash script that operates with high-level privileges, making sure the backdoor reloads after every reboot and that the attackers maintain their grip on the infected machine.
Is there any insight into the potential use of encrypted malware in upcoming attacks?
While the exact purpose of this encrypted malware remains undisclosed, there’s a possibility that it might be used to disrupt or incapacitate critical infrastructure in future attacks. It bears resemblance to malware samples identified by Cisco Talos, suggesting a pattern consistent with past disruptive tactics.
How can network defenders recognize and guard against such threats?
Network defenders should focus on understanding the Tactics, Techniques, and Procedures (TTPs) employed by threat actors. They need to be vigilant about suspicious network activities such as unusual connections from residential IPs, traffic from unexpected high port numbers, and presentations of fake TLS certificates.
What are the dangers of directing attack traffic through residential IP addresses?
Routing attack traffic through residential IPs poses significant risks as it makes malicious activity much harder to identify. Such traffic often seems commonplace and legitimate, thus bypassing traditional security alarms. This stealth increases the time frame attackers have to exploit vulnerabilities without being discovered.
How can organizations safeguard their networks from being exploited like this?
Organizations should adopt proactive security measures, including patching vulnerable devices, deploying rigorous monitoring systems, and conducting regular audits to ensure their networks aren’t being utilized for malicious purposes. Educating employees on recognizing phishing attempts and other intrusion tactics could also enhance security awareness.
Do particular sectors or organizations need to be more alert given the campaign’s aims?
Considering the targets, sectors like IT and media, along with internet service providers and hardware vendors, should heighten their vigilance. Given their strategic importance and the sensitivity of their data, these organizations might be at increased risk of such cyber campaigns.
