China Unleashes Flax Typhoon APT to Live Off the Land, Microsoft Warns

The cyber-espionage group has created a stealthy, hard-to-mitigate network of persistent access across a range of organizations, but the endgame is unclear.

4 Min Read
green padlock icon
Alamy

This article was originally published on Dark Reading.

A China-backed advanced persistent threat (APT) group dubbed Flax Typhoon has installed a web of persistent, long-term infections inside dozens of Taiwanese organizations, likely to carry out an extensive cyber espionage campaign — and it did it using only minimal amounts of malware.

According to Microsoft, the state-sponsored cyberattack group is living off the land for the most part, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent operation.

For now, most of the victims of Flax Typhoon are clustered in Taiwan, according to a warning on Flax Typhoon from Microsoft this week. The computing giant isn't divulging the scope of the attacks, but noted that enterprises beyond Taiwan should be on notice.

The campaign is "using techniques that could be easily reused in other operations outside the region," it warned. And indeed, in the past, the nation-state threat has targeted a broad range of industries (including government agencies and education, critical manufacturing, and information technology) throughout Southeast Asia, as well as in North America and Africa.

The full scope of the infections' damage will be difficult to assess, given that "detecting and mitigating this attack could be challenging," Microsoft warned. "Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated."

Related:How To Run Tron Script to Remove Malware Infections

Living Off the Land & Commodity Malware

In contrast to many other APTs who excel at creating and evolving specific arsenals of custom cyberattack tools, Flax Typhoon prefers to take a less identifying route by using off-the-shelf malware and native Windows utilities (aka living off the land binaries, or LOLbins) that are harder to use for attribution.

Its infection routine in the latest spate of attacks observed by Microsoft is as follows:

  • Initial access: This is done by exploiting known vulnerabilities in public-facing VPN, Web, Java, and SQL applications to deploy the commodity China Chopper webshell, which allows for remote code execution on the compromised server.

  • Privilege escalation: If necessary, Flax Typhoon uses Juicy Potato, BadPotato, and other open source tools to exploit local privilege escalation vulnerabilities.

  • Establishing remote access: Flax Typhoon uses the Windows Management Instrumentation command-line (WMIC) (or PowerShell, or the Windows Terminal with local administrator privileges) to disable network-level authentication (NLA) for Remote Desktop Protocol (RDP). This allows Flax Typhoon to access the Windows sign-in screen without authenticating and, from there, use the Sticky Keys accessibility feature in Windows to launch Task Manager with local system privileges. The attackers then install a legitimate VPN bridge to automatically connect to actor-controlled network infrastructure.

  • Persistence: Flax Typhoon uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts, allowing the actor to monitor the availability of the compromised system and establish an RDP connection.

  • Lateral movement: To access other systems on the compromised network, the actor uses other LOLBins, including Windows Remote Management (WinRM) and WMIC, to perform network and vulnerability scanning.

  • Credential access: Flax Typhoon frequently deploys Mimikatz to automatically dump hashed passwords for users signed into the local system. The resulting password hashes can be cracked offline or used in pass-the-hash (PtH) attacks to access other resources on the compromised network.

Related:Making Sense of Ransomware Attack Statistics in 2023

Interestingly, the APT appears to be biding its time when it comes to executing an endgame, though data exfiltration is the likely goal (rather than the potential kinetic outcomes Microsoft recently flagged for China-sponsored Volt Typhoon activity). 

"This pattern of activity is unusual in that minimal activity occurs after the actor establishes persistence," according to Microsoft's analysis. "Flax Typhoon's discovery and credential-access activities do not appear to enable further data-collection and exfiltration objectives. While the actor's observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign."

Protecting Against Compromise

In its post, Microsoft offered a series of steps to take if organizations are compromised and need to assess the scale of Flax Typhoon activity within their networks and remediate an infection. To avoid the situation entirely, organizations should make sure that all public-facing servers are patched and up-to-date, and have additional monitoring and security such as user input validation, file integrity monitoring, behavioral monitoring, and Web application firewalls.

Admins can also monitor the Windows registry for unauthorized changes; monitor for any RDP traffic that could be considered unauthorized; and harden account security with multifactor authentication and other precautions.

Read more about:

MicrosoftDark Reading

About the Author(s)

Tara Seals

Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like