Silk Typhoon Found Exploiting Remote Management Tools and Cloud Using Leaked Corporate Passwords

• The China-linked group Silk Typhoon has been compromising remote monitoring and management companies and exploits all available public-facing devices.
• They test and use leaked corporate passwords on public repositories and then change credentials to lock the personnel out of their account.
• The group has been targeting U.S. government sector employees for cyber espionage by exploiting cloud app providers and supply chain compromise.

Researchers found that Silk Typhoon, the cyber espionage group affiliated with China, has been breaching IT solutions companies to gain access to a wide variety of targets. Their prime focus remains on unpatched vulnerabilities in applications related to Remote Monitoring and Management (RMM) tools and the cloud. 

Once in, Silk Typhoon looks for other customer networks by using the same credentials and stolen keys. Microsoft Threat Intelligence detailed the Tactics, Techniques, and Procedures (TTPs) used by Silk Typhoon in exploiting Microsoft services to monitor specific individuals.

In addition to exploiting zero-day vulnerabilities by compromising edge devices that transmit data between the local network and the cloud, the cyber espionage group has been observed to engage in supply chain attack.

They maintain persistence over all available public-facing devices. This makes it convenient for them to spy on individuals, categorizing them based on their location, services, and sector. They have been targeting managed service providers (MSPs), healthcare, legal services, educational institutes, defense,  government, non-governmental organizations, and energy.

Recent findings highlight the threat posed to cloud app providers, cloud data management companies, and privilege access management (PAM). They use corporate passwords leaked on public repositories like GitHub after testing if they work, have been changed by the victim, or have MFA enabled.

Silk Typhoon moves laterally from the on-premises environment to the cloud and steals passwords from key vaults. 

Operators of Silk Typhoon exploit admin access primarily of personnel accessing the US government policy, legal investigations, and legal proceedings.

They reset the admin credentials, restricting the account holder from accessing their data, steal information, and create more accounts for threat actors. To evade detection, they clear their activity logs.

Microsoft noted that the group targets AADConnect (now Entra Connect) that syncs data with Entra ID (formerly Azure AD). They compromise OAuth applications via admin privileges and access emails, OneDrive, and SharePoint. 

They steal data via Microsoft Graph API. They were also observed compromising Exchange Web Services (EWS) API and renaming apps such that it blends in with the other items and does not catch attention.

They were found using covert networks that were compromised or leased and likely shared by threat actors. This includes Cyberoam appliances, Zyxel routers, and QNAP devices.

Organizations are urged to keep an eye out for suspicious log activity in the Entra Connect Servers, monitor newly created applications, and detect multi-tenant applications for authentication abuse.