US Agencies Warn About Network Devices 'Frequently Exploited' By China-Linked Hacking Group

Volt Typhoon has been known to ‘commonly’ exploit vulnerabilities in network appliances from certain vendors, according to an advisory from CISA, the FBI and the NSA.

U.S. agencies warned Wednesday that China-linked threat group Volt Typhoon has been known to obtain initial access to targeted IT infrastructure by exploiting network appliances from vendors including Fortinet, Ivanti, Cisco, NetGear and Citrix.

The warning followed the FBI’s disclosure last week that a recent operation succeeded at disrupting the efforts of Volt Typhoon — which is backed by the Chinese government, according to the agency — to compromise U.S. critical infrastructure providers.

[Related: Why SMBs With Old Routers ‘Now Are A Target’ For Nation-State Hackers]

In the advisory Wednesday, signed by the FBI as well as the NSA and the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. agencies provided a number of new details on the observed activities of Volt Typhoon.

Notably, according to the agencies, Volt Typhoon has been known for “maintaining access and footholds within some victim IT environments for at least five years.”

The U.S. agencies also pinpointed network device vendors that have been frequently compromised by the threat actor for gaining access to targeted environments.

“To obtain initial access, Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco,” the agencies said in the advisory.

The attackers “often use publicly available exploit code for known vulnerabilities but are also adept at discovering and exploiting zero-day vulnerabilities,” the agencies said.

In one example of a “confirmed compromise” shared by the U.S. agencies, Volt Typhoon “likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched.”

Fortinet released a blog post to coincide with the U.S. agencies’ advisory Wednesday, which pointed to “the need for organizations to have a robust patch management program in place and to follow best practices to ensure a secure infrastructure.”

“We continue to urge customers to exercise timely patching practices and continued monitoring of their networks for unusual activity to help mitigate cyber risk,” Fortinet said in a statement provided to CRN Wednesday.

Cisco said in a statement that “out of date hardware and unpatched software pose real risk to customers.”

CRN has reached out to Ivanti, Citrix and NetGear for comment.

SMBs Impacted

Targets of Volt Typhoon have included providers of critical services including communications, energy, water/wastewater and transportation, the agencies said.

“Some victims are smaller organizations with limited cybersecurity capabilities that provide critical services to larger organizations or key geographic locations,” the U.S. agencies said in the advisory Wednesday.

The Volt Typhoon attacks underscore the fact that companies of any size that serve as suppliers to U.S. critical infrastructure providers are at risk, said Michael Welch, a former CISO within critical infrastructure sectors.

Such small businesses “may not think they're a target,” Welch, who is now a managing director at consultancy MorganFranklin Consulting, told CRN last week. “But because they are a supplier to a critical infrastructure, they now are a target.”

In the advisory Wednesday, U.S. agencies pointed to patch deployment for network appliances as an essential step for protecting against Volt Typhoon attacks.

“Prioritize patching critical assets, known exploited vulnerabilities, and vulnerabilities in appliances known to be frequently exploited by Volt Typhoon (e.g., Fortinet, Ivanti, NETGEAR, Citrix, and Cisco devices),” the agencies said.

In last week’s FBI disclosure, the agency said that Volt Typhoon was found to have hijacked “hundreds” of small business and home routers based in the U.S. for use as command-and-control infrastructure, according to the FBI. The routers together formed an assembly of malware-infected devices, known as a botnet, which the threat group could use for launching an attack against U.S. critical infrastructure, the FBI said.

The “vast majority” of routers in the Volt Typhoon botnet were end-of-life routers from Cisco and NetGear, which are no longer supported with security updates, the FBI said.