Microsoft discovered a cyber espionage campaign targeting organizations in Taiwan, attributed to a China-based threat actor group called Flax Typhoon. According to the company, Flax Typhoon has been active since 2021, targeting government agencies and companies in education, manufacturing, IT and other sectors.
The campaign exploits vulnerabilities in internet-facing servers to gain initial access to target networks. The attackers use exploits to deploy web shells, allowing them to execute commands on compromised systems remotely. Once inside the network, Flax Typhoon uses various techniques to establish persistent access.
A key method is compromising remote desktop connections by "disabling network-level authentication and hijacking the Sticky Keys feature." This allows the attackers to access systems remotely even after rebooting. The group also installs VPN software to create a tunnel into the network for control.
Flax Typhoon targets the Local Security Authority Subsystem Service (LSASS) process memory and Security Account Manager (SAM) registry hive. Both stores contain hashed passwords for users signed into the local system.
Flax Typhoon frequently deploys Mimikatz, a publicly available malware that can automatically dump these stores when improperly secured. The resulting password hashes can be cracked offline or used in pass-the-hash (PtH) attacks to access other resources on the compromised network.
After establishing persistence, Flax Typhoon focuses on stealing credentials. The group enumerates system restore points, likely to understand the compromised network and remove traces of their activity. However, Microsoft says they have not observed the attackers' progress to further data exfiltration objectives.
Microsoft states it has directly notified targeted customers and provided detection capabilities through Microsoft 365 Defender. However, defending against this threat is challenging as the group relies heavily on valid accounts and legitimate tools.
The news comes as the U.S. government investigates Microsoft's role in the China-backed email breach. A U.S. cybersecurity advisory panel is investigating potential risks in cloud computing, including Microsoft's role in the violation.