Analytics Story: Flax Typhoon

Date: 2023-08-25 ID: 78fadce9-a07f-4508-8d14-9b20052a62cc Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.

Why it matters

Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
BITSAdmin Download File	BITS Jobs, Ingress Tool Transfer	TTP
CertUtil Download With URLCache and Split Arguments	Ingress Tool Transfer	TTP
Detect Webshell Exploit Behavior	Server Software Component, Web Shell	TTP
Dump LSASS via comsvcs DLL	LSASS Memory, OS Credential Dumping	TTP
Overwriting Accessibility Binaries	Event Triggered Execution, Accessibility Features	TTP
PowerShell 4104 Hunting	Command and Scripting Interpreter, PowerShell	Hunting
W3WP Spawning Shell	Server Software Component, Web Shell	TTP
Windows Mimikatz Binary Execution	OS Credential Dumping	TTP
Windows Service Created with Suspicious Service Path	System Services, Service Execution	TTP
Windows SQL Spawning CertUtil	Ingress Tool Transfer	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log System 7045	Windows	`xmlwineventlog`	`XmlWinEventLog:System`

References

https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

Source: GitHub | Version: 1