A China-backed advanced persistent threat (APT) group known as Flax Typhoon has been found to have infiltrated numerous Taiwanese organizations in a sophisticated cyber espionage campaign. The group primarily relies on legitimate tools and utilities built into the Windows operating system to carry out their operations, making it difficult to detect their activities.
According to a recent warning from Microsoft, Flax Typhoon’s main targets are currently located in Taiwan, but the techniques they use could be easily replicated in other regions. In the past, the group has targeted various industries across Southeast Asia, North America, and Africa, including government agencies, education institutions, critical manufacturing, and IT companies.
The full extent of the damage caused by Flax Typhoon is challenging to determine as detecting and mitigating the attack is not easy. Microsoft advises organizations to close or change compromised accounts and isolate and investigate compromised systems.
What sets Flax Typhoon apart from other APT groups is their strategy of “living off the land” and the use of commodity malware. Instead of creating and evolving their own custom cyberattack tools, the group utilizes off-the-shelf malware and native Windows utilities, also known as “living off the land binaries” (LOLbins). This approach makes it harder to attribute the attacks to Flax Typhoon.
The group’s typical infection routine involves exploiting known vulnerabilities in public-facing VPN, web, Java, and SQL applications to deploy a webshell called China Chopper. This webshell allows for remote code execution on the compromised server. If necessary, Flax Typhoon also uses tools like Juicy Potato and BadPotato to exploit local privilege escalation vulnerabilities. They establish remote access using Windows Management Instrumentation command-line (WMIC) or PowerShell to disable network-level authentication (NLA) for Remote Desktop Protocol (RDP). This enables them to access the Windows sign-in screen without authentication and launch Task Manager with local system privileges. To gain persistence, the group creates a Windows service using the Service Control Manager (SCM) that automatically initiates a VPN connection when the system starts. Finally, they use other LOLbins like Windows Remote Management (WinRM) and WMIC for lateral movement within the compromised network.
Flax Typhoon frequently deploys a tool called Mimikatz to extract hashed passwords of users signed into the local system. These password hashes can then be cracked offline or used in pass-the-hash (PtH) attacks to gain access to other resources on the compromised network.
Interestingly, the group appears to be patient when it comes to executing their endgame, focusing more on data exfiltration rather than kinetic outcomes. Microsoft’s analysis suggests that while Flax Typhoon is involved in espionage and maintaining network footholds, they have not observed the group acting on final objectives in the current campaign.
To protect against compromise by Flax Typhoon, Microsoft recommends organizations to keep their public-facing servers patched and up-to-date. Additional security measures such as user input validation, file integrity monitoring, behavioral monitoring, and web application firewalls are also recommended. Monitoring the Windows registry for unauthorized changes, unauthorized RDP traffic, and implementing multifactor authentication can further enhance account security.
In conclusion, the Flax Typhoon APT group’s use of legitimate tools and minimal amounts of malware makes their cyber espionage campaign highly stealthy and persistent. Organizations, particularly in Taiwan but also globally, need to be vigilant and take necessary precautions to detect and mitigate any potential Flax Typhoon attacks.