Threat hunters at Microsoft have caught a Chinese government-backed APT actor hacking into organizations in Taiwan with minimal use of malware and maintaining stealthy persistence by abusing legitimate software tools.
The cyberespionage operation, tagged with the moniker Flax Typhoon, hacks into organizations by exploiting known vulnerabilities in public-facing servers and then using legitimate tools built into the Windows operating system and otherwise benign software to quietly remain in these networks.
“Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated,” Microsoft warned in a research note documenting the Flax Typhoon activities.
The Redmond, Wash. software giant said the hacking techniques could easily be reused in targeted attacks and urged defenders to hunt for signs of compromise and thoroughly remove malicious tools and C2 infrastructure. In addition, businesses in the crosshairs of APT actors should check logs for signs of compromised accounts that may have been used for malicious purposes.
“[The] observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible,” Microsoft warned, noting that the hacking group has been active since at least mid-2021 and has targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan.
The company said it saw victims elsewhere in Southeast Asia, as well as in North America and Africa.
Microsoft’s threat intelligence team published details on Flax Typhoon’s use of command-line tools to first establish persistent access over the remote desktop protocol, deployment of a VPN connection to actor-controlled network infrastructure, and siphoning of credentials from compromised systems.
In cases where Flax Typhoon needs to move laterally to access other systems on the compromised network, Microsoft said it caught the APT group using LOLBins, including Windows Remote Management (WinRM) and WMIC.
Once persistence is established, Microsoft said the hackers start harvesting credentials using common tools and techniques, including the targeting of the Local Security Authority Subsystem Service (LSASS) process memory and Security Account Manager (SAM) registry hive.