Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Chinese-Backed APT ‘Flax Typhoon’ Hacks Taiwan With Minimal Malware Footprint

Microsoft warns that Chinese spies are hacking into Taiwanese organizations with minimal use of malware and by abusing legitimate software.

China Hackers

Threat hunters at Microsoft have caught a Chinese government-backed APT actor hacking into organizations in Taiwan with minimal use of malware and maintaining stealthy persistence by abusing legitimate software tools.

The cyberespionage operation, tagged with the moniker Flax Typhoon, hacks into organizations by exploiting known vulnerabilities in public-facing servers and then using legitimate tools built into the Windows operating system and otherwise benign software to quietly remain in these networks. 

“Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated,” Microsoft warned in a research note documenting the Flax Typhoon activities.

The Redmond, Wash. software giant said the hacking techniques could easily be reused in targeted attacks and urged defenders to hunt for signs of compromise and thoroughly remove malicious tools and C2 infrastructure.  In addition, businesses in the crosshairs of APT actors should check logs for signs of compromised accounts that may have been used for malicious purposes.

“[The] observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible,” Microsoft warned,  noting that the hacking group has been active since at least mid-2021 and has targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan. 

The company said it saw victims elsewhere in Southeast Asia, as well as in North America and Africa. 

Microsoft’s threat intelligence team published details on Flax Typhoon’s use of command-line tools to first establish persistent access over the remote desktop protocol, deployment of a VPN connection to actor-controlled network infrastructure, and siphoning of credentials from compromised systems.  

In cases where Flax Typhoon needs to move laterally to access other systems on the compromised network, Microsoft said it caught the APT group using LOLBins, including Windows Remote Management (WinRM) and WMIC.

Advertisement. Scroll to continue reading.

Once persistence is established, Microsoft said the hackers start harvesting credentials using common tools and techniques, including the targeting of the Local Security Authority Subsystem Service (LSASS) process memory and Security Account Manager (SAM) registry hive.

Related: Iranian APTs Caught Exploiting PaperCut Vulnerability

Related: Microsoft Hack Exposed More Than Exchange, Outlook Emails

Related: Microsoft Bows to Pressure to Free Up Security Logs

Related: Microsoft Naming Threat Actors After Weather Events

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.