{"id":2229,"date":"2025-03-06T21:56:40","date_gmt":"2025-03-06T21:56:40","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2229"},"modified":"2025-03-06T21:56:40","modified_gmt":"2025-03-06T21:56:40","slug":"chinese-apt-silk-typhoon-exploits-it-supply-chain-weaknesses-for-initial-access","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2229","title":{"rendered":"Chinese APT Silk Typhoon exploits IT supply chain weaknesses for initial access"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A China-aligned threat group tracked by Microsoft as Silk Typhoon, two members of which were recently charged by US authorities<\/a>, has recently shifted its focus to the enterprise IT supply chain by compromising cloud IT services and software providers and then moving downstream to their customers, according to a report from Microsoft.<\/p>\n

Silk Typhoon, known for exploiting zero-day vulnerabilities in network-edge devices, is highly proficient in performing lateral movement between cloud and on-premises environments.<\/p>\n

\u201cIn particular, Silk Typhoon was observed abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies, allowing the threat actor to access these companies\u2019 downstream customer environments,\u201d Microsoft researchers warned<\/a>.<\/p>\n

On March 5, US authorities charged 12 Chinese nationals with attacking US-based critics and dissidents of China, a large religious organization in the US, foreign ministries of multiple governments in Asia, and US federal and state government agencies, including the Treasury Department in late 2024<\/a>.<\/p>\n

The Justice Department (DOJ) and the FBI also announced the seizure of internet domains linked to Silk Typhoon, which is also known as APT27.<\/p>\n

Silk Typhoon has attacked a wide array of targets<\/h2>\n

The group actively targets IT services and infrastructure providers, remote monitoring and management (RMM) companies, managed service providers (MSPs) and their affiliates, healthcare organizations, legal services firms and other companies that might have been given access to systems and networks of their clients. This opens the door to supply chain compromises through the abuse of privileged access.<\/p>\n

In one such incident, Silk Typhoon used stolen API keys to access devices from an organization\u2019s downstream customers and tenants through an admin account. Using the access provided by the stolen API keys, the attackers reset the default admin account, created additional users, deployed web shells, and deleted log entries to hide their tracks.<\/p>\n

The downstream victims were primarily from the state and local government, as well as the IT sector, and the information stolen from their systems was related to US government policy and administration, law enforcement investigations and other legal processes.<\/p>\n

\u201cSilk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments,\u201d the researchers said.<\/p>\n

Two-way lateral movement<\/h2>\n

Aside from abusing cloud assets and third-party services and software providers to gain access to local networks, the Silk Typhoon attackers are also proficient in jumping from on-premise environments into cloud environments. The group\u2019s hackers regularly target Microsoft AADConnect (now Entra Connect) servers which are used to synchronize on-premise Active Directory deployments with Azure AD (now called Entra ID).<\/p>\n

Once inside a local network, the attackers will try to dump credentials from Active Directory, search passwords inside key vaults and escalate their privileges to admin.<\/p>\n

In addition to targeting IT providers, identity management providers and RMM solutions for initial access, Silk Typhoon has a history of developing zero-day exploits. In 2021, the group compromised hundreds of Microsoft Exchange servers belonging to private organizations and government agencies through zero-day exploits, prompting the FBI to obtain a court order that allowed the agency to remotely remove the deployed web shells from private servers<\/a>, a move that was seen as unprecedented.<\/p>\n

Salt Typhoon also targets compromised credentials<\/h2>\n

Since then, the group has specialized in zero-day exploits for network-edge devices, exploiting vulnerabilities in GlobalProtect Gateway on Palo Alto Networks firewalls (CVE-2024-3400), Citrix NetScaler appliances (CVE-2023-3519) and Ivanti Pulse Connect Secure appliances (CVE-2025-0282).<\/p>\n

Compromised credentials are also a big part of the group\u2019s initial access efforts. These are the result of both password spray attacks, active collection from compromised networks and systems, as well as reconnaissance by scanning public GitHub repositories for corporate credentials and passwords. However, credentials are not always needed if there are privileged and pre-authenticated applications that can be abused to access information.<\/p>\n

\u201cWhile analyzing post-compromise tradecraft, Microsoft identified Silk Typhoon abusing service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MSGraph,\u201d the researchers said. \u201cThroughout their use of this technique, Silk Typhoon has been observed gaining access to an application that was already consented within the tenant to harvest email data and adding their own passwords to the application.\u201d<\/p>\n

Defending against Silk Typhoon\u2019s methods<\/h2>\n

Organizations should make sure all of their internet-facing servers, appliances and other devices are kept up to date. In case there is a zero-day vulnerability, forensic analysis should be performed and all potential post-compromise activities a threat actor might have performed, including lateral movement, should be investigated. Following patch cycles, any active or persistent sessions for logged in users or remote users should be terminated and reset.<\/p>\n

Microsoft said that legitimate application and service principals \u2014 service accounts \u2014 should be subject to strong controls and monitoring. These include:<\/p>\n

Audit the current privilege level of all identities, users, service principals, and Microsoft Graph Data Connect applications (use the Microsoft Graph Data Connect authorization portal) to understand which identities are highly privileged. Scrutinize privileges more closely if they belong to an unknown identity, belong to identities that are no longer in use, or are not fit for purpose.<\/p>\n

Identify abused OAuth apps using anomaly detection policies. Detect abused OAuth apps that make sensitive Exchange Online administrative activities through App governance. Investigate and remediate any risky OAuth apps.<\/p>\n

Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are still required in the tenant.<\/p>\n

Applications that are no longer required should be removed. If apps must access mailboxes, granular and scalable access can be implemented using role-based access control for applications in Exchange Online. This access model ensures applications are only granted to the specific mailboxes required.<\/p>\n

Sign-ins from unusual locations should also be flagged, access should follow the principle of least privilege, and VPN access should be done using modern authentication methods. On-premise service accounts should not have direct permissions on cloud resources to limit lateral movement and conditional access policies should be implemented. The Microsoft report contains additional recommendations as well as Microsoft Sentinel queries to hunt for Silk Typhoon-related activities.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A China-aligned threat group tracked by Microsoft as Silk Typhoon, two members of which were recently charged by US authorities, has recently shifted its focus to the enterprise IT supply chain by compromising cloud IT services and software providers and then moving downstream to their customers, according to a report from Microsoft. Silk Typhoon, known […]<\/p>\n","protected":false},"author":0,"featured_media":2230,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2229","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2229"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2229"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2229\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2230"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}