Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft
June 22, 2023
VANGUARD PANDA Background
On May 24, 2023, industry and government sources detailed China-nexus activity in which the threat actor dubbed Volt Typhoon targeted U.S.-based critical infrastructure entities. CrowdStrike Intelligence tracks this actor as VANGUARD PANDA.Since at least mid-2020, the CrowdStrike Falcon® Complete managed detection and response (MDR) team and the CrowdStrike® Falcon OverWatch™ threat hunting team have observed related historical activity in multiple sectors. The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom webshells for persistent access, and living-off-the-land (LOTL) techniques for lateral movement.
Collaboration between Falcon Complete, Falcon OverWatch and the CrowdStrike Intelligence team is a force multiplier protecting customers from the latest threats to ultimately stop breaches.
Incident Case Study
One specific VANGUARD PANDA incident stands out to review in detail. Falcon Complete responded to a detection that was triggered by suspicious reconnaissance commands executed under an Apache Tomcat web server running ManageEngine ADSelfService Plus.The malicious activity detailed in the detection included listing processes, network connectivity testing, gathering user and group information, mounting shares, enumeration of domain trust over WMI, and listing DNS zones over WMI. VANGUARD PANDA’s actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI.
Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft
