A China-backed advanced persistent threat (APT) group dubbed Flax Typhoon has installed a web of persistent, long-term infections inside dozens of Taiwanese organizations, likely to carry out an extensive cyber espionage campaign — and it did it using only minimal amounts of malware.
According to Microsoft, the state-sponsored cyberattack group is living off the land for the most part, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent operation.
For now, most of the victims of Flax Typhoon are clustered in Taiwan, according to a warning on Flax Typhoon from Microsoft this week. The computing giant isn't divulging the scope of the attacks, but noted that enterprises beyond Taiwan should be on notice.
The campaign is "using techniques that could be easily reused in other operations outside the region," it warned. And indeed, in the past, the nation-state threat has targeted a broad range of industries (including government agencies and education, critical manufacturing, and information technology) throughout Southeast Asia, as well as in North America and Africa.
The full scope of the infections' damage will be difficult to assess, given that "detecting and mitigating this attack could be challenging," Microsoft warned. "Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated."
Living Off the Land & Commodity Malware
In contrast to many other APTs who excel at creating and evolving specific arsenals of custom cyberattack tools, Flax Typhoon prefers to take a less identifying route by using off-the-shelf malware and native Windows utilities (aka living off the land binaries, or LOLbins) that are harder to use for attribution.
Its infection routine in the latest spate of attacks observed by Microsoft is as follows:
- Initial access: This is done by exploiting known vulnerabilities in public-facing VPN, Web, Java, and SQL applications to deploy the commodity China Chopper webshell, which allows for remote code execution on the compromised server.
- Privilege escalation: If necessary, Flax Typhoon uses Juicy Potato, BadPotato, and other open source tools to exploit local privilege escalation vulnerabilities.
- Establishing remote access: Flax Typhoon uses the Windows Management Instrumentation command-line (WMIC) (or PowerShell, or the Windows Terminal with local administrator privileges) to disable network-level authentication (NLA) for Remote Desktop Protocol (RDP). This allows Flax Typhoon to access the Windows sign-in screen without authenticating and, from there, use the Sticky Keys accessibility feature in Windows to launch Task Manager with local system privileges. The attackers then install a legitimate VPN bridge to automatically connect to actor-controlled network infrastructure.
- Persistence: Flax Typhoon uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts, allowing the actor to monitor the availability of the compromised system and establish an RDP connection.
- Lateral movement: To access other systems on the compromised network, the actor uses other LOLBins, including Windows Remote Management (WinRM) and WMIC, to perform network and vulnerability scanning.
- Credential access: Flax Typhoon frequently deploys Mimikatz to automatically dump hashed passwords for users signed into the local system. The resulting password hashes can be cracked offline or used in pass-the-hash (PtH) attacks to access other resources on the compromised network.
Interestingly, the APT appears to be biding its time when it comes to executing an endgame, though data exfiltration is the likely goal (rather than the potential kinetic outcomes Microsoft recently flagged for China-sponsored Volt Typhoon activity).
"This pattern of activity is unusual in that minimal activity occurs after the actor establishes persistence," according to Microsoft's analysis. "Flax Typhoon's discovery and credential-access activities do not appear to enable further data-collection and exfiltration objectives. While the actor's observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign."
Protecting Against Compromise
In its post, Microsoft offered a series of steps to take if organizations are compromised and need to assess the scale of Flax Typhoon activity within their networks and remediate an infection. To avoid the situation entirely, organizations should make sure that all public-facing servers are patched and up-to-date, and have additional monitoring and security such as user input validation, file integrity monitoring, behavioral monitoring, and Web application firewalls.
Admins can also monitor the Windows registry for unauthorized changes; monitor for any RDP traffic that could be considered unauthorized; and harden account security with multifactor authentication and other precautions.