Ramping up the Cyber Offensive: China’s Flax Typhoon APT Takes Advantage of Local Resources

China-Backed APT Group Flax Typhoon Conducting Stealthy Cyber Espionage Campaign

The Threat

A China-backed advanced persistent threat (APT) group known as Flax Typhoon has been identified by Microsoft as carrying out a sophisticated cyber espionage campaign. The group has managed to infect numerous organizations in Taiwan using minimal amounts of malware and relying on legitimate tools and utilities built into the Windows operating system. Microsoft warns that Flax Typhoon has the capability to expand its operations beyond Taiwan, as it has done in the past, targeting various industries across Southeast Asia, North America, and Africa.

Modus Operandi

Flax Typhoon stands out from other APT groups by using off-the-shelf malware and native Windows utilities, also known as living off the land binaries (LOLbins), making it difficult to trace and attribute their actions. Microsoft explains Flax Typhoon’s infection routine in the recent attacks it observed, which include the stages of initial access, privilege escalation, establishing remote access, persistence, lateral movement, and credential access.

During the initial access phase, Flax Typhoon exploits known vulnerabilities in public-facing VPN, web, Java, and SQL applications to deploy the China Chopper webshell, enabling remote code execution on the compromised server. If necessary, the group uses tools like Juicy Potato and BadPotato to exploit privilege escalation vulnerabilities. To establish remote access, Flax Typhoon disables network-level authentication (NLA) for Remote Desktop Protocol (RDP) using the Windows Management Instrumentation command-line (WMIC), PowerShell, or Windows Terminal with local administrator privileges. This allows the group to access the Windows sign-in screen without authentication and leverage the Sticky Keys accessibility feature to launch Task Manager with local system privileges. They then install a legitimate VPN bridge to connect to their own network infrastructure.

To maintain persistence, Flax Typhoon creates a Windows service using the Service Control Manager (SCM) that automatically launches the VPN connection at system startup. This allows the threat actors to monitor the compromised system’s availability and establish an RDP connection. The group utilizes LOLBins such as Windows Remote Management (WinRM) and WMIC for lateral movement to access other systems on the compromised network. Credential access is achieved through the deployment of Mimikatz, which automatically dumps hashed passwords for users signed into the local system, enabling the cracking of password hashes offline or using pass-the-hash (PtH) attacks to access further resources on the network.

Potential Damage and Intentions

The true extent of the damage caused by Flax Typhoon’s infections is difficult to assess given the stealthy nature of their operation. Microsoft warns that detecting and mitigating this attack could be challenging, emphasizing the need to close or change compromised accounts and isolate and investigate compromised systems. Flax Typhoon’s ultimate objectives remain unclear, but data exfiltration for espionage purposes appears to be the likely goal.

Microsoft notes that Flax Typhoon appears to be patient when it comes to executing their final objectives, and their activities after establishing persistence do not indicate immediate data collection and exfiltration. While the group intends to maintain network footholds and conduct espionage, Microsoft has not observed Flax Typhoon acting on final objectives in this particular campaign.

Protecting Against Flax Typhoon Compromise

Preventative Measures

To avoid falling victim to Flax Typhoon or similar cyber espionage campaigns, organizations should follow a set of preventative measures. It is crucial to ensure that all public-facing servers are patched and up-to-date. Additionally, organizations should implement additional monitoring and security measures such as user input validation, file integrity monitoring, behavioral monitoring, and web application firewalls. Monitoring the Windows registry for unauthorized changes, detecting any unauthorized RDP traffic, and implementing multifactor authentication and other account security measures can also significantly enhance the organization’s cyber defenses.

Assessing and Remedying Compromises

If an organization suspects that it has been compromised by Flax Typhoon, Microsoft provides a set of steps to assess the scale of the activity within their network and remediate the infection. This includes closing or changing compromised accounts, isolating and investigating compromised systems, and monitoring for any signs of unauthorized RDP traffic. Implementing comprehensive logging and monitoring capabilities is also crucial for gathering evidence and identifying indicators of compromise.

Editorial and Advice

The Flax Typhoon cyber espionage campaign orchestrated by a China-backed APT group highlights the persistent and evolving threat posed by nation-state actors. Their ability to fly under the radar by using minimal malware and leveraging legitimate tools and utilities within operating systems demonstrates the importance of a multi-layered defense strategy that goes beyond traditional perimeter-based security measures.

This incident also raises philosophical questions concerning the boundaries of cyber conflict in the realm of state-sponsored cyber espionage. As technology continues to advance, the distinction between peacetime and wartime actions in the cyber domain becomes increasingly blurred. International norms and agreements to regulate behavior in cyberspace are essential for maintaining transparency, trust, and stability in the global digital landscape.

Organizations and governments worldwide must prioritize cybersecurity investments to strengthen defenses against APT groups like Flax Typhoon. Robust patch management practices, proper user access controls, rigorous network monitoring, and regular security awareness training are essential components of a comprehensive cybersecurity strategy. Collaboration between governments, private sector entities, and international organizations is also crucial for sharing threat intelligence, coordinating responses, and holding threat actors accountable.

In conclusion, the Flax Typhoon APT group serves as a stark reminder of the constantly evolving cyber threat landscape and the urgent need for organizations and governments to remain vigilant, proactive, and prepared. Continuous investment in cybersecurity, combined with international cooperation, will be critical to effectively countering the persistent and sophisticated activities of state-sponsored threat actors.