Microsoft has identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks. Microsoft has not observed Flax Typhoon using this access to conduct additional actions. This blog aims to raise awareness of the techniques used by this threat actor and inform better defenses to protect against future attacks.<\/p>\n\n\n\n
\n\n\n\n
Microsoft has observed a distinctive pattern of malicious activity almost exclusively affecting organizations in Taiwan using techniques that could be easily reused in other operations outside the region and would benefit from broader industry visibility. Microsoft attributes this campaign to Flax Typhoon (overlaps with ETHEREAL PANDA), a nation-state actor based out of China. Flax Typhoon\u2019s observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. However, Microsoft has not observed Flax Typhoon act on final objectives in this campaign. Microsoft is choosing to highlight this Flax Typhoon activity at this time because of our significant concern around the potential for further impact to our customers. Although our visibility into these threats has given us the ability to deploy detections to our customers, the lack of visibility into other parts of the actor\u2019s activity compelled us to drive broader community awareness to further investigations and protections across the security ecosystem.<\/p>\n\n\n\n
In this blog post, we share information on Flax Typhoon, the current campaign targeting Taiwan, and the actor\u2019s tactics for achieving and maintaining unauthorized access to target networks. Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated. At the end of this blog post, we share more mitigation steps and best practices, as well as provide details on how Microsoft 365 Defender detects malicious and suspicious activity to protect organizations from such stealthy attacks.<\/p>\n\n\n\n
Who is Flax Typhoon?<\/h2>\n\n\n\n
Flax Typhoon has been active since mid-2021 and has targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan. Some victims have also been observed elsewhere in Southeast Asia, as well as in North America and Africa. Flax Typhoon focuses on persistence, lateral movement, and credential access. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.<\/p>\n\n\n\n
Flax Typhoon is known to use the China Chopper<\/em> web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther virtual private network (VPN) client. However, Flax Typhoon primarily relies on living-off-the-land techniques<\/a> and hands-on-keyboard activity. Flax Typhoon achieves initial access by exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper<\/em>. Following initial access, Flax Typhoon uses command-line tools to first establish persistent access over the remote desktop protocol, then deploy a VPN connection to actor-controlled network infrastructure, and finally collect credentials from compromised systems. Flax Typhoon further uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.<\/p>\n\n\n Flax Typhoon achieves initial access by exploiting<\/a> known vulnerabilities in public-facing servers. The services targeted vary, but include VPN, web, Java, and SQL applications. The payload in these exploits is a web shell<\/a>, such as China Chopper<\/em><\/a>, which allows for remote code execution on the compromised server.<\/p>\n\n\n\n In cases where the process compromised via web shell does not have local administrator privileges, Flax Typhoon downloads and runs a piece of malware that exploits one or more known vulnerabilities to obtain local system privileges. Microsoft has observed the actor use Juicy Potato<\/a>, BadPotato<\/a>, and other open-source tools to exploit these vulnerabilities.<\/p>\n\n\n\n Once Flax Typhoon can access Windows Management Instrumentation command-line (WMIC), PowerShell, or the Windows Terminal with local administrator privileges, the actor establishes a long-term method of accessing<\/a> the compromised system using the remote desktop protocol (RDP). To accomplish this, the actor disables network-level authentication (NLA)<\/a> for RDP, replaces the Sticky Keys binary, and establishes a VPN connection.<\/p>\n\n\n\n When using RDP, NLA requires the connecting user to authenticate to the remote system before a full remote session is established and the Windows sign-in screen is displayed. When NLA is disabled, any user attempting to access the remote system can interact with the Windows sign-in screen before authenticating, which can expose the remote system to malicious actions by the connecting user. Flax Typhoon changes a registry key to disable NLA, allowing them to access the Windows sign-in screen without authenticating, whereupon the actor will use the Sticky Keys shortcut.<\/p>\n\n\n Sticky Keys is an accessibility feature<\/a> in Windows that allows users to press modifier keys (such as Shift<\/em>, Ctrl<\/em>, Alt<\/em>) one at a time instead of simultaneously. It includes a shortcut where the user can press the Shift<\/em> key five times in succession to launch sethc.exe<\/em>, the program that manages Sticky Keys. The user can invoke this shortcut at any time, including at the sign-in screen. To take advantage of this feature<\/a>, Flax Typhoon changes a registry key that specifies the location of sethc.exe<\/em>. The actor adds arguments that cause the Windows Task Manager to be launched as a debugger for sethc.exe<\/em>. As a result, when the actor uses the Sticky Keys shortcut on the Windows sign-in screen, Task Manager launches with local system privileges.<\/p>\n\n\n At this stage, Flax Typhoon can access the compromised system via RDP, use the Sticky Keys shortcut at the sign-in screen, and access Task Manager with local system privileges. From there, the actor can launch the Terminal, create memory dumps, and take nearly any other action on the compromised system. The only issue the actor faces with this persistence method is that RDP is most likely running on an internal-facing network interface. Flax Typhoon\u2019s solution is to install a legitimate VPN bridge to automatically connect to actor-controlled network infrastructure.<\/p>\n\n\n\n To deploy the VPN connection, Flax Typhoon downloads<\/a> an executable file for SoftEther VPN<\/a> from their network infrastructure. The actor downloads the tool using one of several LOLBins, such as the PowerShell Invoke-WebRequest<\/a> utility, certutil<\/a>, or bitsadmin<\/a>. Flax Typhoon then uses the Service Control Manager (SCM)<\/a> to create a Windows service<\/a> that launches the VPN connection automatically when the system starts. This could allow the actor to monitor the availability of the compromised system and establish an RDP connection.<\/p>\n\n\n Flax Typhoon takes several precautions with their VPN connection to make it harder to identify. First, the actor uses a legitimate VPN application that could be found in enterprise environments. As a result, the file itself is almost certain to go undetected by antivirus products. Second, the actor almost always renames the executable file<\/a> from vpnbridge.exe<\/em> to conhost.exe<\/em> or dllhost.exe<\/em>. These names imitate the legitimate Windows components Console Window Host Process and Component Object Model Surrogate respectively. Third, the actor uses SoftEther\u2019s VPN-over-HTTPS<\/a> operation mode, which uses protocol tunneling<\/a> to encapsulate Ethernet packets into compliant HTTPS packets and transmit them to TCP port 443. This makes the VPN connection very difficult to differentiate from legitimate HTTPS traffic, which most network security appliances would not block.<\/p>\n\n\n\n In cases where Flax Typhoon needs to move laterally to access other systems on the compromised network, the actor uses LOLBins, including Windows Remote Management (WinRM) and WMIC.<\/p>\n\n\n\n Microsoft has observed Flax Typhoon routing network traffic to other targeted systems through the SoftEther VPN bridge installed on compromised systems. This network traffic includes network scanning, vulnerability scanning, and exploitation attempts.<\/p>\n\n\n\n Once Flax Typhoon becomes established on the target system, Microsoft observes the actor conducting credential access activities using common tools and techniques. Most commonly, Flax Typhoon targets the Local Security Authority Subsystem Service (LSASS) process memory<\/a> and Security Account Manager (SAM) registry hive<\/a>. Both stores contain hashed passwords for users signed into the local system. Flax Typhoon frequently deploys Mimikatz, a publicly available malware that can automatically dump these stores when improperly secured<\/a>. The resulting password hashes can be cracked offline or used in pass-the-hash (PtH) attacks<\/a> to access other resources on the compromised network.<\/p>\n\n\n\n Flax Typhoon also enumerates restore points used by System Restore<\/a>. Restore points contain data about the Windows operating system that the system owner can use to revert changes to the system if it becomes inoperable, rather than a backup of user data. Flax Typhoon could use this information to better understand the compromised system or as a template for removing indicators of malicious activity.<\/p>\n\n\n\n This pattern of activity is unusual in that minimal activity occurs after the actor establishes persistence. Flax Typhoon\u2019s discovery and credential access activities do not appear to enable further data-collection and exfiltration objectives. While the actor\u2019s observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.<\/p>\n\n\n\n Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.<\/p>\n\n\n\n Affected organizations need to assess the scale of Flax Typhoon activity in their network, remove malicious tools and C2 infrastructure, and check logs for signs of compromised accounts that may have been used for malicious purposes.<\/p>\n\n\n\n Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more<\/a>.<\/p>\n<\/blockquote>\n\n\n\n Microsoft Defender Antivirus<\/strong><\/p>\n\n\n\n Microsoft Defender Antivirus detects threat components as the following malware:<\/p>\n\n\n\n Microsoft Defender for Endpoint<\/strong><\/p>\n\n\n\n The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can also be triggered by unrelated threat activity.<\/p>\n\n\n\n Microsoft 365 Defender customers can run the following queries to find related activity in their networks:<\/p>\n\n\n\n Network activity with Flax Typhoon network infrastructure<\/strong><\/p>\n\n\n SoftEther VPN bridge launched by SQL Server process<\/strong><\/p>\n\n\n SoftEther VPN bridge renamed to \u201cconhost.exe\u201d or \u201cdllhost.exe\u201d<\/strong><\/p>\n\n\n Certutil launched by SQL Server process<\/strong><\/p>\n\n\n File downloaded by MSSQLSERVER account using certutil<\/strong><\/p>\n\n\n File renamed to \u201cconhost.exe\u201d or \u201cdllhost.exe\u201d, downloaded using certutil<\/strong><\/p>\n\n\n Network connection made by SoftEther VPN bridge renamed to \u201cconhost.exe\u201d or \u201cdllhost.exe\u201d<\/strong><\/p>\n\n\n Network connection made by MSSQLSERVER account, using SoftEther VPN bridge<\/strong><\/p>\n\n\n Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy<\/a>.<\/p>\n\n\n\n Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.<\/p>\n\n\n\n In addition to compromised SOHO devices and compromised devices used for traffic proxying, Flax Typhoon maintains actor-controlled network infrastructure, including virtual private servers (VPS). Over the course of the campaign, the IP addresses listed in the table below were used during the corresponding timeframes.<\/p>\n\n\n\n![\"Flax](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/08\/Figure-1.-Flax-Typhoon-attack-chain-diagram-1024x336.webp\")
Analysis of current campaign<\/h2>\n\n\n\n
Initial access<\/h3>\n\n\n\n
Privilege escalation<\/h3>\n\n\n\n
Persistence<\/h3>\n\n\n\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/08\/Figure-2.-Flax-Typhoon-command-disabling-NLA-1024x79.webp\")
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/08\/Figure-3.-Flax-Typhoon-command-altering-Sticky-Keys-behavior-1024x95.webp\")
Command and control<\/h3>\n\n\n\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/08\/Figure-4.-Flax-Typhoon-command-downloading-a-SoftEther-VPN-executable-1024x94.webp\")
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/08\/Figure-5.-Flax-Typhoon-command-creating-a-service-to-launch-the-VPN-connection-1024x121.webp\")
Credential access<\/h3>\n\n\n\n
Mitigation and protection guidance<\/h2>\n\n\n\n
What to do now if you\u2019re affected<\/h3>\n\n\n\n
Investigating Suspected compromised accounts or affected systems<\/h3>\n\n\n\n
\n
Defending against Flax Typhoon attacks<\/h3>\n\n\n\n
\n
\n
Detection details and hunting queries<\/h2>\n\n\n\n
Microsoft 365 Defender detections<\/h3>\n\n\n\n
\n
\n
\n
Hunting queries<\/h3>\n\n\n\n
Microsoft 365 Defender<\/h4>\n\n\n\n
\nlet ipAddressTimes = datatable(ip: string, startDate: datetime, endDate: datetime)\n[\n \"101.33.205.106\", datetime(\"2022-11-07\"), datetime(\"2022-11-08\"),\n \"39.98.208.61\", datetime(\"2023-07-28\"), datetime(\"2023-08-12\"),\n \"45.195.149.224\", datetime(\"2023-01-04\"), datetime(\"2023-03-29\"),\n \"122.10.89.230\", datetime(\"2023-01-12\"), datetime(\"2023-01-13\"),\n \"45.204.1.248\", datetime(\"2023-02-23\"), datetime(\"2023-05-09\"),\n \"45.204.1.247\", datetime(\"2023-07-24\"), datetime(\"2023-08-10\"),\n \"45.88.192.118\", datetime(\"2022-11-07\"), datetime(\"2022-11-08\"),\n \"154.19.187.92\", datetime(\"2022-12-01\"), datetime(\"2022-12-02\"),\n \"134.122.188.20\", datetime(\"2023-06-13\"), datetime(\"2023-06-20\"),\n \"104.238.149.146\", datetime(\"2023-07-13\"), datetime(\"2023-07-14\"),\n \"139.180.158.51\", datetime(\"2022-08-30\"), datetime(\"2023-07-27\"),\n \"137.220.36.87\", datetime(\"2023-02-23\"), datetime(\"2023-08-04\"),\n \"192.253.235.107\", datetime(\"2023-06-06\"), datetime(\"2023-06-07\")\n];\nlet RemoteIPFiltered = DeviceNetworkEvents\n | join kind=inner (ipAddressTimes) on $left.RemoteIP == $right.ip\n | where Timestamp between (startDate .. endDate);\nlet LocalIPFiltered = DeviceNetworkEvents\n | join kind=inner (ipAddressTimes) on $left.LocalIP == $right.ip\n | where Timestamp between (startDate .. endDate);\nunion RemoteIPFiltered, LocalIPFiltered\n<\/pre><\/div>\n\n\n
\nDeviceProcessEvents \n| where ProcessVersionInfoOriginalFileName == \"vpnbridge.exe\" or ProcessVersionInfoFileDescription == \"SoftEther VPN\" \n| where InitiatingProcessParentFileName == \"sqlservr.exe\"\n<\/pre><\/div>\n\n\n
\nDeviceProcessEvents \n| where ProcessVersionInfoOriginalFileName == \"vpnbridge.exe\" or ProcessVersionInfoFileDescription == \"SoftEther VPN\" \n| where ProcessCommandLine has_any (\"conhost.exe\", \"dllhost.exe\") or FolderPath has_any (\"mssql\", \"conhost.exe\", \"dllhost.exe\")\n<\/pre><\/div>\n\n\n
\nDeviceProcessEvents \n| where ProcessCommandLine has_all (\"certutil\", \"-urlcache\") \n| where InitiatingProcessFileName has_any (\"sqlservr.exe\", \"sqlagent.exe\", \"sqlps.exe\", \"launchpad.exe\", \"sqldumper.exe\")\n<\/pre><\/div>\n\n\n
\nDeviceFileEvents \n| where InitiatingProcessAccountName == \"MSSQLSERVER\" \n| where InitiatingProcessFileName == \"certutil.exe\"\n<\/pre><\/div>\n\n\n
\nDeviceFileEvents \n| where InitiatingProcessFileName == \"certutil.exe\" \n| where FileName in (\"conhost.exe\", \"dllhost.exe\") \n<\/pre><\/div>\n\n\n
\nDeviceNetworkEvents \n| where InitiatingProcessVersionInfoOriginalFileName == \"vpnbridge.exe\" or InitiatingProcessVersionInfoProductName == \"SoftEther VPN\" \n| where InitiatingProcessFileName == \"conhost.exe\"\n<\/pre><\/div>\n\n\n
\nDeviceNetworkEvents \n| where InitiatingProcessVersionInfoOriginalFileName == \"vpnbridge.exe\" or InitiatingProcessVersionInfoProductName == \"SoftEther VPN\" \n| where InitiatingProcessAccountName == \"MSSQLSERVER\"\n<\/pre><\/div>\n\n\n
Microsoft Sentinel<\/h4>\n\n\n\n
\n
Indicators of compromise<\/h3>\n\n\n\n