Flax Typhoon: Microsoft Uncovers Espionage Tactics Targeting Taiwan
Microsoft has detected malicious activities primarily targeting Taiwanese organizations by a nation-state actor named Flax Typhoon, which is believed to be based in China.[1] The actor's tactics suggest intentions of espionage and long-term access to various industries. Despite extensive activities, Flax Typhoon does not seem to have a clear end-goal in this campaign, as Microsoft did not observe data-collection or exfiltration objectives.
Active since mid-2021, Flax Typhoon has targeted government, education, manufacturing, and IT sectors in Taiwan, with some victims in Southeast Asia, North America, and Africa. The actor's focus is on persistence, lateral movement, and credential access. Flax Typhoon employs living-off-the-land techniques, using tools such as China Chopper web shell, Metasploit, Juicy Potato, Mimikatz, and SoftEther VPN client. The actor gains initial access by exploiting vulnerabilities in public facing servers. The group uses tools like Juicy Potato, to establish persistence via (Remote Desktop Protocol), and SoftEther VPN to set up command and control. Once established, Flax Typhoon accesses credentials using tools like Mimikatz to target the LSASS process memory and SAM registry hive.
The techniques deployed by Flax Typhoon can easily be reused in targeted attacks. Defenders should hunt for signs of compromise shared by Microsoft and adhere to basic security hygiene including but not limited to vulnerability and patch management, hardening on public-facing servers, and enforcing strong multifactor authentication (MFA) policies.
The Evolving Ransomware Landscape Highlights Linux-Focused Payloads and Critical Infrastructure Attacks
The ransomware landscape is rapidly evolving, with threat actors employing sophisticated techniques and targeting critical infrastructure. EclecticIQ analysts note several recent ransomware families that have developed Linux/ESXi-focused payloads. Organizations must remain vigilant, prioritize security updates, and educate employees about potential phishing threats. The integration of various vulnerabilities into ransomware attacks underscores the importance of timely patching and robust cybersecurity measures.
Akira Ransomware targets Cisco VPN products to infiltrate corporate networks since March 2023 and has evolved to target VMware ESXi virtual machines.[2] The ransomware compromises Cisco VPN accounts - possibly exploiting unknown vulnerabilities - and uses tools like RustDesk for stealthy access. The group behind Akira is suspected to be Russian, based on linguistic clues and the exclusion of Russian systems from their attacks.
Monti Ransomware has returned, targeting VMware ESXi servers, legal, and government organizations.[3] The new form of Monti displays notable differences from previous Linux-based iterations. Unlike the previous variants, which mostly depended on the leaked Conti source code, this new version uses a different encryptor and showcases additional unique behaviors.
Cuba Ransomware targets critical infrastructure in the U.S. and IT entities in Latin America by exploiting vulnerabilities in Veeam Backup & Replication products.[4] Ransomware operator is now exploiting CVE-2023-27532 to extract credentials from configuration files. This specific vulnerability affects Veeam Backup & Replication products, with an exploit available since March 2023. In addition, Cuba targets CVE-2020-1472 ("Zerologon") vulnerability in Microsoft's NetLogon protocol for privilege escalation against AD domain controllers.
WinRAR's Zero-Day Flaw Exploited Targeting Broker Accounts
On July 10, 2023, Group-IB's Threat Intelligence unit discovered a vulnerability in WinRAR while researching the DarkMe malware. [5] Threat actors exploited the flaw in WinRAR's ZIP file processing to distribute weaponized ZIP archives on trading forums. The vulnerability allowed for the creation of harmful .RAR and .ZIP archives, which appeared to contain files like JPG images, text files, or PDF documents. When opened, these files would run scripts that installed malware on the victim's computer. Once these archives were extracted and executed, the malware enabled the attackers to withdraw money from broker accounts. Exploitation began in April 2023 and was used to distribute various malware strains, including DarkMe, GuLoader, and Remcos RAT.
Group-IB promptly informed RARLAB about the vulnerability tracked as CVE-2023-38831. RARLAB released a patch on August 2, 2023. WinRAR is a widely used compression tool with over five hundred million users globally. The latest case emphasizes the importance of updating software and being cautious with unknown attachments. EclecticIQ analysts strongly advise to update to the latest version (6.23) to mitigate the risk of this and other recently disclosed vulnerabilities.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat
Black Bersek Malware, Large Language Model Adaption For Offensive Cyber Capabilities
German Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs
Appendix
[1] M. T. Intelligence, “Flax Typhoon using legitimate software to quietly access Taiwanese organizations,” Microsoft Security Blog, Aug. 24, 2023. https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/ (accessed Aug. 27, 2023).
[2] “Akira ransomware targets Cisco VPNs to breach organizations,” BleepingComputer. https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cisco-vpns-to-breach-organizations/ (accessed Aug. 27, 2023).
[3] “Monti Ransomware Unleashes a New Encryptor for Linux,” Trend Micro, Aug. 14, 2023. https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html (accessed Aug. 27, 2023).
[4] blogs.blackberry.com, “Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America.” https://blogs.blackberry.com/en/2023/08/cuba-ransomware-deploys-new-tools-targets-critical-infrastructure-sector-in-the-usa-and-it-integrator-in-latin-america (accessed Aug. 27, 2023).
[5] “Traders’ dollars in danger: CVE-2023-38831 zero-day vulnerability in WinRAR exploited by cybercriminals to target traders,” Group-IB. https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ (accessed Aug. 27, 2023).
