- Posts
- 10,811
- Posts Power
- 10,811.0%
- Liked
- 890
- Joined
- Jan 2, 1996
- Website
- inviteshop.us
Microsoft discovered a cyber espionage campaign targeting organizations in Taiwan, attributed to a China-based threat actor group called Flax Typhoon. According to the company, Flax Typhoon has been active since 2021, targeting government agencies and companies in education, manufacturing, IT and other sectors.
The campaign exploits vulnerabilities in internet-facing servers to gain initial access to target networks. The attackers use exploits to deploy web shells, allowing them to execute commands on compromised systems remotely. Once inside the network, Flax Typhoon uses various techniques to establish persistent access.
A key method is compromising remote desktop connections by "disabling network-level authentication and hijacking the Sticky Keys feature." This allows the attackers to access systems remotely even after rebooting. The group also installs VPN software to create a tunnel into the network for control.
After establishing persistence, Flax Typhoon focuses on stealing credentials. The group enumerates system restore points, likely to understand the compromised network and remove traces of their activity. However, Microsoft says they have not observed the attackers' progress to further data exfiltration objectives.
Microsoft states it has directly notified targeted customers and provided detection capabilities through Microsoft 365 Defender. However, defending against this threat is challenging as the group relies heavily on valid accounts and legitimate tools.
The news comes as the U.S. government investigates Microsoft's role in the China-backed email breach. A U.S. cybersecurity advisory panel is investigating potential risks in cloud computing, including Microsoft's role in the violation.
The campaign exploits vulnerabilities in internet-facing servers to gain initial access to target networks. The attackers use exploits to deploy web shells, allowing them to execute commands on compromised systems remotely. Once inside the network, Flax Typhoon uses various techniques to establish persistent access.
A key method is compromising remote desktop connections by "disabling network-level authentication and hijacking the Sticky Keys feature." This allows the attackers to access systems remotely even after rebooting. The group also installs VPN software to create a tunnel into the network for control.
After establishing persistence, Flax Typhoon focuses on stealing credentials. The group enumerates system restore points, likely to understand the compromised network and remove traces of their activity. However, Microsoft says they have not observed the attackers' progress to further data exfiltration objectives.
Microsoft states it has directly notified targeted customers and provided detection capabilities through Microsoft 365 Defender. However, defending against this threat is challenging as the group relies heavily on valid accounts and legitimate tools.
The news comes as the U.S. government investigates Microsoft's role in the China-backed email breach. A U.S. cybersecurity advisory panel is investigating potential risks in cloud computing, including Microsoft's role in the violation.