Taiwan's government and various organizations have reportedly fallen victim to targeted cyberattacks orchestrated by a group of Chinese hackers identified as "Flax Typhoon," as disclosed by Microsoft.
The tech giant alleged that this series of attacks bears the hallmark of a sophisticated nation-state actor originating from China. Microsoft's observations suggest that the group aims to conduct espionage activities and maintain prolonged unauthorized access to a broad spectrum of industries within Taiwan.
Microsoft Reveals Pattern of Malicious Behavior by China Hackers
The company's findings stem from a discernible pattern of malicious behavior that predominantly affects entities situated in Taiwan. The attack techniques employed by Flax Typhoon are adaptable and could conceivably be repurposed for operations beyond the region.
The disclosure came via a Microsoft blog post, where the company expounds on Flax Typhoon's reported modus operandi, shedding light on the group's tactics for gaining and sustaining unauthorized access to targeted networks.
Notably, the attackers rely on both valid user accounts and the strategic use of living-off-the-land binaries (LOLBins), making the detection and mitigation of their activities a formidable challenge.
The recommended remedial actions include closing or modifying compromised accounts and meticulously isolating and investigating compromised systems.
According to Microsoft, Flax Typhoon first surfaced around the middle of 2021 and has chiefly focused its operations on Taiwanese government agencies, educational institutions, critical manufacturing sectors, and information technology firms.
However, traces of the group's activities have also been reported in other locales, such as Southeast Asia, North America, and Africa. The group was found to exhibit a specific interest in achieving persistence within compromised systems, lateral movement across networks, and the procurement of unauthorized access credentials.
Read Also: Microsoft Paint is Getting an AI-Powered Boost Claims Report-Will it Revamp the Experience?
Tools of Chinese Hackers Flax Typhoon
Flax Typhoon employs various tools to achieve its objectives, including the China Chopper web shell, Metasploit, the Juicy Potato privilege escalation tool, Mimikatz, and the SoftEther virtual private network (VPN) client.
The group's strategies significantly lean heavily on using living-off-the-land techniques and direct, hands-on-keyboard interaction, as per Microsoft's findings.
Microsoft said Flax Typhoon initiates its assault by exploiting known vulnerabilities in public-facing servers. These vulnerabilities are leveraged to gain initial access, with the attackers deploying web shells like China Chopper to enable remote code execution on compromised servers.
In instances where the compromised processes lack administrator privileges, Microsoft claims that the group deploys malware, such as Juicy Potato, to exploit known vulnerabilities and secure local system privileges.
The attackers prioritize maintaining persistence within compromised systems. To this end, Flax Typhoon reportedly manipulates the remote desktop protocol (RDP) by disabling network-level authentication (NLA) and altering system configurations.
These actions provide the attackers with a long-term avenue for accessing compromised systems and leveraging RDP for their activities. According to Microsoft, addressing the threat posed by Flax Typhoon calls for robust vulnerability and patch management, especially for systems exposed to the public internet.
Additionally, the company underscored the importance of proper system hardening to counter the attackers' strategies for credential access.
Related Article: Microsoft Officially Retires Cortana Voice Assistant App
