KQL Search

Query Details

HomeAI ToolsDevice Query

Infrastructure Vulnerability Exposure To Volt Typhoon

Query

// Infrastructure Vulnerability Exposure to Volt Typhoon

// Expert analysis from last year revealed that PRC APT groups, such as Volt Typhoon, frequently exploit known vulnerabilities in TP-Link routers during their malicious campaigns. These campaigns have included targeting government officials in European countries. In these attacks, modified firmware images have so far been found exclusively on TP-Link routers.
// Given the portability of user laptops, there is a risk that a laptop used for work might connect to a TP-Link wireless router at home, in a café, or at another mobile working location. This connection increases the security risk for both the endpoint and the TP-Link router, potentially making them vulnerable to exploitation.
// By leveraging Microsoft’s endpoint discovery capabilities, you can identify if any of your endpoints have connected to or detected a TP-Link router. Additionally, correlating the vulnerabilities present on these endpoints can help estimate the exposure risk to APT groups exploiting TP-Link routers.

// The below KQL query will provide you a summary of your total endpoints vulnerabilities count (High, Medium & Low) that are exposed to a TP-Link router environment.

let DeviceExposedToTPLinkRouter =
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| where isempty(MergedToDeviceId)
| where OnboardingStatus != "Onboarded"
| where Vendor contains "TP-LINK"
| invoke SeenBy()
| extend parsedJson = parse_json(SeenBy)
| extend SeenByDeviceID = tostring(parsedJson[0].DeviceId)
| project SeenByDeviceID;
DeviceTvmSoftwareVulnerabilities
| where DeviceId has_any(DeviceExposedToTPLinkRouter)
| summarize VulnerabilityCount=count() by VulnerabilitySeverityLevel

Explanation

This KQL query is designed to identify and summarize the vulnerabilities of endpoints that have connected to TP-Link routers, which are known to be exploited by certain advanced persistent threat (APT) groups like Volt Typhoon. Here's a simplified breakdown of what the query does:

  1. Identify Devices Exposed to TP-Link Routers:

    • The query first looks at device information to find devices that have connected to TP-Link routers.
    • It filters out devices that are not onboarded and those that have been merged into other devices.
    • It specifically looks for devices where the vendor information contains "TP-LINK".
    • It then uses the SeenBy function to get the device IDs of these TP-Link routers.

  2. Summarize Vulnerabilities:

    • The query then checks the software vulnerabilities of the devices identified in the first step.
    • It counts the number of vulnerabilities and categorizes them by their severity levels (High, Medium, Low).

In summary, this query helps you understand the vulnerability exposure of your endpoints that have connected to TP-Link routers by providing a count of vulnerabilities categorized by their severity. This can help in assessing the risk posed by potential exploitation from APT groups like Volt Typhoon.

Details

Steven Lim profile picture

Steven Lim

Released: August 22, 2024

Tables

DeviceInfoDeviceTvmSoftwareVulnerabilities

Keywords

DevicesVulnerabilities

Operators

letsummarizearg_maxbywhereisemptycontainsinvokeSeenByextendparse_jsontostringprojecthas_anycount

Actions