A China-based nation-state actor has been targeting dozens of organizations in Taiwan in order to set up long-term access to their networks, and relying on the abuse of legitimate software features instead of malware to make detection difficult.
The threat group behind these attacks is known for targeting government agencies and critical manufacturing, IT and education organizations in Taiwan, as well as victims in Southeast Asia, Africa and North America. Researchers with Microsoft, which observed the campaign, said that the group’s tactics could easily be used in other campaigns outside of Taiwan.
“Microsoft attributes this campaign to Flax Typhoon (overlaps with ETHEREAL PANDA), a nation-state actor based out of China,” said researchers with Microsoft in a Thursday analysis. “Flax Typhoon’s observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. However, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”
The threat group gains initial access by exploiting known vulnerabilities in public-facing servers. After initial access, the group typically uses a webshell like China Chopper as its payload exploit, enabling remote code execution; and malware for exploiting flaws to obtain local system privileges if needed.
Beyond this, however, the group uses minimal malware, instead opting to leverage tools built into the operating system, in order to lurk quietly on compromised networks for longer periods of time. After initial access, the group deploys a VPN connection to an attacker-controlled network infrastructure, which it also uses to scan for vulnerabilities on targeted systems. According to researchers, the attackers deploy the VPN connection by downloading an executable file for the SoftEther VPN using LOLBins, such as the PowerShell Invoke-WebRequest utility or certutil.
“This pattern of activity is unusual in that minimal activity occurs after the actor establishes persistence."
The group then uses a multipronged approach to set up persistence, starting with disabling network-level authentication (NLA) - a feature requiring that users authenticate to the remote system before the session is established and the sign-in screen displayed - on the remote desktop protocol. By removing this feature, the threat actor is able to access the Windows sign-in screen without prior authentication.
In the next stage, the actor then leverages the Windows Sticky Keys accessibility feature, which allows users to enter keyboard shortcuts (by pressing keys one at a time, instead of simultaneously). Specifically, the actor at the Windows sign-in screen uses a Sticky Keys shortcut that enabling attackers to launch sethc.exe, the program that manages Sticky Keys.
“To take advantage of this feature, Flax Typhoon changes a registry key that specifies the location of sethc.exe,” said researchers. “The actor adds arguments that cause the Windows Task Manager to be launched as a debugger for sethc.exe. As a result, when the actor uses the Sticky Keys shortcut on the Windows sign-in screen, Task Manager launches with local system privileges.”
The threat actor can then use Task Manager to create memory dumps and take other various actions. In addition to setting up persistence, the attackers also collect credentials, typically though targeting stores that contain hashed passwords for users signed into the local system, like the Local Security Authority Subsystem Service (LSASS) process memory and Security Account Manager (SAM) database file. Researchers said that they have not observed the group use its access to take any additional measures beyond credential collection, however.
“This pattern of activity is unusual in that minimal activity occurs after the actor establishes persistence,” said researchers. “Flax Typhoon’s discovery and credential access activities do not appear to enable further data-collection and exfiltration objectives. While the actor’s observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”
APT campaigns that abuse legitimate software components are not new, but they are difficult to detect. Organizations can protect themselves by making sure that their public-facing servers are kept up to date (and that these servers have additional monitoring and security in general). Organizations should also monitor their Windows registry for any unauthorized changes, and use network monitoring systems to identify any unusual traffic, said researchers.