On 24th May 2023, The United States and international cybersecurity authorities have issued a joint Cybersecurity Advisory. It is related to a massive state-sponsored cyber actor campaign, called Volt Typhoon.
Stormshield has deployed protections against those activities.
Stormshield Network Security (SNS) protections:
| ID | Name |
| http:79 | Directory self reference |
| http:client:header:useragent.110 | Threat actor recon activity |
Stormshield Endpoint Security (SES) protections:
The following rulesets of the default policy in version 2304a or 2211b are already able to block most of the process executions employed during the attack by the malicious actor:
- Stormshield – Protection baseline
- Stormshield – Data leak prevention
- Stormshield – Protection against malicious usage of LOLBIN
- Stormshield – Block-list of known dangerous applications
- Stormshield – Advanced protections
It is important to confirm that these rulesets are active and in their most recent version in the policies applied on the endpoint agents.
Stormshield Endpoint Security (SES) compromise detection:
A Yara analysis unit “APT – Volt Typhoon” (for SES Evolution v2.3.x and v2.4.x) and an IoC analysis unit “APT – Volt Typhoon – IoC” (only for SES Evolution v2.4.x) have been released today on our diffusion server. These analysis units focus on elements that can detect tracks of this malicious activity.