Victor Kuciel, Author at SecurIT360

A China-backed hacking group, tracked as Flax Typhoon, is targeting government agencies and education, critical manufacturing, and information technology organizations likely for espionage purposes. The nation-state actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. However, final objectives in this campaign have not been observed. Currently, Taiwanese organizations are exclusively being affected, but the scope of attacks aren’t fully known. Microsoft states that the distinctive pattern of malicious activity could be easily reused in other operations outside the region and would benefit from broader industry visibility. Because of this, enterprises beyond Taiwan should be on alert.

Flax Typhoon has been active since mid-2021 and focuses on persistence, lateral movement, and credential access. The threat actors do not primarily rely on malware to gain and maintain access to the victim network, instead, they prefer using mostly components already available on the operating system, LOLBins, and legitimate software. In the campaign observed, Flax Typhoon gained initial access by exploiting known vulnerabilities in public-facing servers, including VPN, web, Java, and SQL applications. The threat actors dropped China Chopper, a powerful web shell that provides remote code execution capabilities. If necessary, the hackers elevate their privileges to administrator level using the publicly available ‘Juicy Potato’ and ‘BadPotato’ open-source tools that exploit known vulnerabilities to obtain higher permissions.

Flax Typhoon establishes persistence by turning off network-level authentication through registry modifications and exploiting the Windows Sticky Keys accessibility feature to set up an RDP connection. To avoid RDP connectivity restrictions of RDP to internal network, Flax Typhoon installs a legitimate VPN bridge to maintain the link between the compromised system and their external server. The attackers download the open-source SoftEther VPN client using LOLBins like PowerShell Invoke-WebRequest utility, certutil, or bitsadmin, and abuse various built-in Windows tools to set the VPN app to launch automatically on system startup. To avoid being detected, the hackers rename it to legitimate Windows components such as ‘conhost.exe’ or ‘dllhost.exe.’ Additionally, Flax Typhoon uses SoftEther’s VPN-over-HTTPS mode to conceal VPN traffic as standard HTTPS traffic.

Researchers have noted that Flax Typhoon frequently uses the Mimikatz tool to extract credentials from LSASS process memory and the SAM registry. The stolen credentials were not observed to extract additional data, making the adversary’s main objective currently unclear.

Flax Typhoon Attack Chain

SecurIT360 SOC Managed Services

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:

MDR Services

We utilize several threat feeds that are updated frequently on a daily basis.
In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services

In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable.

Mitigation & Protection

Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.
Affected organizations need to assess the scale of Flax Typhoon activity in their network, remove malicious tools and C2 infrastructure, and check logs for signs of compromised accounts that may have been used for malicious purposes.

Recommendations

Microsoft recommends organizations to apply the latest security updates to internet-exposed endpoints and public-facing servers, and MFA should be enabled on all accounts.
Registry monitoring could help catch modification attempts and unauthorized changes like those performed by Flax Typhoon to disable NLA.

MITRE Summary

T1003 (OS Credential Dumping)
T1003.001 (LSASS Memory)
T1005 (Data from Local System)
T1018 (Remote System Discovery)
T1041 (Exfiltration Over C2 Channel)
T1068 (Exploitation for Privilege Escalation)
T1105 (Ingress Tool Transfer)

IOCS

Resources & Related Articles

Alert Code: AA23-144A

The NSA, CISA, FBI, ACSC, CCCS, NCSC-NZ, and NCSC-UK have released a joint cybersecurity advisory regarding a recently unveiled adversary activity of the China-linked nation-backed APT group tracked as Volt Typhoon. The state-sponsored group has been reported spying on a range of U.S. critical infrastructure organizations, from telecommunications to transportation hubs and is part of a U.S. disinformation campaign.

Although espionage seems to be the goal, Microsoft assesses with moderate confidence that this campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

The initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability. A primary TTP used by the actor is living off the land which utilizes built-in network administration tools to perform their objectives. This allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Built-in tools that are used by the actor include wmic, ntdsutil, netsh, and PowerShell. However, threat actors were also seen using open-source tools such as Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework.

To blend in with legitimate network traffic and evade detection, Volt Typhoon employs compromised small office and home office (SOHO) network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel, such as routers, firewalls, and VPN appliances. If privileged access is obtained after compromising the Fortinet devices, the attackers can dump credentials through the LSASS. This allows them to deploy Awen-based web shells for data exfiltration and persistence on the hacked systems.

Persistent focus on critical infrastructure indicates preparation for disruptive or destructive cyber-attacks and hints at a collective effort to provide China with access in the event of a future conflict between the two countries. Microsoft proactively reached out to all customers that were either targeted or compromised in these attacks to provide them with the information required to secure their networks from future hacking attempts.

Volt Typhoon attack flow

SecurIT360 SOC Managed Services

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:

MDR Services

We utilize several threat feeds that are updated frequently on a daily basis
In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services

Carbon Black and Defender for Endpoint have announced Volt Typhoon related detections
In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable.

Victimology

Targets and breached entities span a wide range of critical sectors including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

Recommended Mitigations

Harden domain controllers and monitor event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
Investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
In addition to host-level changes, review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
Look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
Forward log files to a hardened centralized logging server, preferably on a segmented network.

MITRE Summary

Initial Access
Technique Title	ID	Use
Exploit Public-facing Application	T1190	Actor used public-facing applications to gain initial access to systems; in this case, Earthworm and PortProxy.
Execution
Windows Management Instrumentation	T1047	The actor executed WMIC commands to create a copy of the SYSTEM registry.
Command and Scripting Interpreter: PowerShell	T1059.001	The actor used a PowerShell command to identify successful logons to the host.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	The actor used this primary command prompt to execute a query that collected information about the storage devices on the local host.
Persistence
Server Software Component: Web Shell	T1505.003	The actor used backdoor web servers with web shells to establish persistence to systems, including some of the webshells being derived from Awen webshell.
Defense Evasion
Hide Artifacts	T1546	The actor selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.
Indicator Removal: Clear Windows Event Logs	T1070.001	The actor cleared system event logs to hide activity of an intrusion.
Credential Access
OS Credential Dumping: NTDS	T1003.003	The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking.
Brute Force	T1110	The actor attempted to gain access to accounts with multiple password attempts.
Brute Force: Password Spraying	T1110.003	The actor used commonly used passwords against accounts to attempt to acquire valid credentials.
OS Credential Dumping	T1003	The actor used additional commands to obtain credentials in the environment.
Credentials from Password Stores	T1555	The actors searched for common password storage locations.
Discovery
System Information Discovery	T1082	The actors executed commands to gather information about local drives.
System Owner/User Discovery	T1033	The actors gathered information about successful logons to the host using a PowerShell command.
Permission Groups Discovery: Local Groups	T1069.001	The actors attempt to find local system groups and permission settings.
Permission Groups Discovery: Doman Groups	T1069.002	The actors used commands to enumerate the active directory structure.
System Network Configuration Discovery	T1016	The actors used commands to enumerate the network topology.
Command and Control
Proxy	T1090	The actors used commands to enable port forwarding on the host.
Proxy: External Proxy	T1090.002	The actors used compromised SOHO devices (e.g. routers) to obfuscate the source of their activity.

IOCS

f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31

d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca

472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d

66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7

3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597

c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99

3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f

fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15

ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484

baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c

b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74

4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349

c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d

d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af

9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a

450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267

93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066

7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5

389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61

c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b

e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95

6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff

cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984

17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4

8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2

d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295

3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642

Resources & Related Articles