Flax Typhoon, a remarkably advanced hacking group, has caught the attention of Microsoft due to its utilization of a groundbreaking tactic called “Living Off the Land Binaries” (LOLBins). This ingenious technique enables them to infiltrate systems and remain undetected, raising serious concerns.
Detailed overview of Flax Typhoon
Microsoft found a Flax Typhoon hacking group that targets government agencies, educational institutions, manufacturing companies, and IT organisations. The primary focus of the group is espionage. Flax Typhoon uses components already in the victim’s operating system. These components are known as living-off-the-land binaries, LOLBins, and legitimate software.
Flax Typhoon has been operating since mid-2021. Taiwan is their primary target, but the group has also hit Southeast Asia, North America, and Africa. Flax Typhoon started its attacks by targeting vulnerable public-facing servers like VPN, web services, Java applications, and SQL applications. Hackers use a small and powerful tool called China Chopper web shell (4KB in size) to execute code remotely.
Observed Flax Typhoon TTP
Hackers may escalate their privileges to the administrator level using tools like ‘Juicy Potato’ and ‘BadPotato.’ These tools take advantage of known vulnerabilities to gain higher permissions.
Flax Typhoon achieves persistence by turning off network-level authentication (NLA) through changes in the registry and utilizing the Windows Sticky Keys accessibility feature to establish an RDP (Remote Desktop Protocol) connection.
Microsoft explains that Flax Typhoon can access the compromised system through RDP. They use the Sticky Keys shortcut at the sign-in screen and access Task Manager with local system privileges.
Once accessed, the actor can open the Terminal, generate memory dumps, and execute virtually any other operation on the compromised system. Flax Typhoon uses a legitimate VPN bridge to bypass RDP connectivity restrictions and maintain the connection between the compromised system and its external server.
Hackers use LOLBins like PowerShell Invoke-WebRequest utility, certutil, or bitsadmin to download the open-source SoftEther VPN client. They then exploit different built-in Windows tools to configure the VPN app to start automatically when the system boots up. Attackers rename the file to ‘conhost.exe’ or ‘dllhost.exe’ to hide it as a legitimate Windows component and reduce the chances of being detected.
In addition, Flax Typhoon incorporates SoftEther’s VPN-over-HTTPS mode to disguise VPN traffic as regular HTTPS traffic. According to Microsoft, hackers utilise Windows Remote Management (WinRM), WMIC, and other LOLBins to facilitate lateral movement.
At the moment, Microsoft has yet to observe Flax Typhoon utilizing the stolen credentials to extract further data, raising questions about the actor’s primary objective.
Protection
Organizations are strongly advised by Microsoft to promptly install the most recent security updates on all internet-exposed endpoints and public-facing servers. Additionally, it is crucial to enable multi-factor authentication (MFA) on all accounts. Registry monitoring can detect and prevent unauthorized changes, such as those made by Flax Typhoon to disable NLA.
Organisations who suspect a breach from this threat actor should carefully check their networks. Flax Typhoon stays in the system for a long time, compromising multiple accounts and changing system configuration to maintain access in the long term.
