Share this article on:
Breaking news and updates daily. Subscribe to our Newsletter
Security researchers at Microsoft have spotted a Chinese-based threat actor engaging in espionage operations against organisations in Taiwan.
The group, dubbed Flax Typhoon by Microsoft, has been operating since at least 2021, and has previously been seen to go after critical infrastructure, government agencies, and IT groups in the country.
In its latest campaign, Flax Typhoon has been taking advantage of known vulnerabilities in public-facing networks using the China Chopper web shell to gain initial access and then deploying a range of techniques to escalate their privileges in a given environment. To do this, the group uses malware such as BadPotato and Juicy Potato.
Nation-state hacking may be very serious business but we can all have some fun with our naming protocols, right?
Once inside a network, the group establishes persistent access by disabling network-level authentication in the system’s remote desktop protocol. This results in users being able to log into a network via the Windows sign-in screen without the need for authentication. Finally, Flax Typhoon takes advantage of Windows’ Sticky Keys feature, tweaking the registry so that launching Sticky Keys actually opens up Task Manager, complete with local privileges.
“From there”, Microsoft said in a blog post, “the actor can launch the Terminal, create memory dumps, and take nearly any other action on the compromised system. The only issue the actor faces with this persistence method is that RDP is most likely running on an internal-facing network interface.”
Flax Typhoon gets around this by then installing a VPN bridge to connect back to its own command and control infrastructure. The trick here is that the connection is a legitimate one, using a VPN commonly found in enterprise environments, allowing it to run unnoticed.
The threat actor then deploys living-off-the-land binaries to move laterally in the environment.
At this point, Flax Typhoon has simply been seen to observe its environment, gathering passwords and taking advantage of Restore Points to further observe system behaviour and operation.
“This pattern of activity is unusual in that minimal activity occurs after the actor establishes persistence,” Microsoft said. “Flax Typhoon’s discovery and credential access activities do not appear to enable further data collection and exfiltration objectives.
“While the actor’s observed behaviour suggests Flax Typhoon intends to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”
Microsoft has been in touch with the owners of the targeted networks.
Comments powered by CComment