In recent times, there has been a rise in cyber-attack incidents linked to a Chinese origin advanced persistent threat group. This group, followed closely by Microsoft's Threat Intelligence department, has been aptly named "Flax Typhoon," also known as "Ethereal Panda." The group's primary target range extends to various organizations within Taiwan, sparking suspicions of an extensive espionage campaign.
Flax Typhoon prefers a stealthy approach by using built-in OS tools and other harmless software to maintain an inconspicuous, long-term presence within the network infrastructure of the target organizations. Interestingly, the group doesn't seem to actively exploit this access to collect or exfiltrate data.
Their focus of attack encompasses critical manufacturing, government organizations, educational establishments, and IT businesses in Taiwan. The group's activities aren't entirely restricted to Taiwan, with instances detected in Southeast Asia, North America, and even Africa. These activities have been traced back to mid-2021.
Ethereal Panda has been known to pay particular interest to the technology, telecommunication, and academic sectors within Taiwan. They maintain their network access largely through SoftEther VPN executables. The group has also been witnessed deploying the GodZilla web shell.
Like most cyber threat actors, Flax Typhoon uses subtle, evolving methods to avoid detection— one of these being the use of pre-installed tools in the target environment to avoid the need for extra download or creation of distinct components. The hackers gain initial access by exploiting known vulnerabilities in public-facing servers, and then establish long-term access by deploying web shells like China Chopper.
One unique trait of the Flax Typhoon's hacking method is the modification of the Sticky Keys behavior to initiate the Task Manager. This clever maneuver allows the group to carry out post-exploitation activities on compromised systems. When it’s necessary to move laterally within the compromised network, the actor employs Living-off-the-Land binaries (LOL bins), including WMIC and Windows Remote Management (WinRM).
In an incident highlighted by CrowdStrike, Flax Typhoon was suspected of meddling with an Apache Tomcat installation in order to breach an organization. Once inside, they enumerated various resources within the host and extracted credentials using both ProcDump and Mimikatz.
This narrative exposes a grim reality of the modern digital era and cybersecurity landscape, where threat actors are constantly evolving their methods. They’re becoming smarter, more selective, and are shifting their tradecraft towards undermining the vulnerable aspects of their targets' operations.
In light of these mounting cyber threats, an organization's cybersecurity measures should be of prime importance. It's wise to invest in comprehensive IT security measures that include compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, and architecture design.
At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.