A China-backed hacking group, tracked as Flax Typhoon, is targeting government agencies and education, critical manufacturing, and information technology organizations likely for espionage purposes. The nation-state actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. However, final objectives in this campaign have not been observed. Currently, Taiwanese organizations are exclusively being affected, but the scope of attacks aren’t fully known. Microsoft states that the distinctive pattern of malicious activity could be easily reused in other operations outside the region and would benefit from broader industry visibility. Because of this, enterprises beyond Taiwan should be on alert.
Flax Typhoon has been active since mid-2021 and focuses on persistence, lateral movement, and credential access. The threat actors do not primarily rely on malware to gain and maintain access to the victim network, instead, they prefer using mostly components already available on the operating system, LOLBins, and legitimate software. In the campaign observed, Flax Typhoon gained initial access by exploiting known vulnerabilities in public-facing servers, including VPN, web, Java, and SQL applications. The threat actors dropped China Chopper, a powerful web shell that provides remote code execution capabilities. If necessary, the hackers elevate their privileges to administrator level using the publicly available ‘Juicy Potato’ and ‘BadPotato’ open-source tools that exploit known vulnerabilities to obtain higher permissions.
Flax Typhoon establishes persistence by turning off network-level authentication through registry modifications and exploiting the Windows Sticky Keys accessibility feature to set up an RDP connection. To avoid RDP connectivity restrictions of RDP to internal network, Flax Typhoon installs a legitimate VPN bridge to maintain the link between the compromised system and their external server. The attackers download the open-source SoftEther VPN client using LOLBins like PowerShell Invoke-WebRequest utility, certutil, or bitsadmin, and abuse various built-in Windows tools to set the VPN app to launch automatically on system startup. To avoid being detected, the hackers rename it to legitimate Windows components such as ‘conhost.exe’ or ‘dllhost.exe.’ Additionally, Flax Typhoon uses SoftEther’s VPN-over-HTTPS mode to conceal VPN traffic as standard HTTPS traffic.
Researchers have noted that Flax Typhoon frequently uses the Mimikatz tool to extract credentials from LSASS process memory and the SAM registry. The stolen credentials were not observed to extract additional data, making the adversary’s main objective currently unclear.
Flax Typhoon Attack Chain
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:
- We utilize several threat feeds that are updated frequently on a daily basis.
- In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.
- In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.
Indicators are provided in the Indicators of Compromise section below for your reference.
As always, if we detect activity related to these exploits, we will alert you when applicable.
Mitigation & Protection
- Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.
- Affected organizations need to assess the scale of Flax Typhoon activity in their network, remove malicious tools and C2 infrastructure, and check logs for signs of compromised accounts that may have been used for malicious purposes.
- Microsoft recommends organizations to apply the latest security updates to internet-exposed endpoints and public-facing servers, and MFA should be enabled on all accounts.
- Registry monitoring could help catch modification attempts and unauthorized changes like those performed by Flax Typhoon to disable NLA.
T1003 (OS Credential Dumping)
T1003.001 (LSASS Memory)
T1005 (Data from Local System)
T1018 (Remote System Discovery)
T1041 (Exfiltration Over C2 Channel)
T1068 (Exploitation for Privilege Escalation)
T1105 (Ingress Tool Transfer)
Resources & Related Articles
- Flax Typhoon using legitimate software to quietly access Taiwanese organizations
- Microsoft: Stealthy Flax Typhoon hackers use LOLBins to evade detection
- China Unleashes Flax Typhoon APT to Live Off the Land, Microsoft Warns
- Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage
- Flax Typhoon targeting Taiwan, Ransomware Emphasizing Linux-Centric Payloads