In January 2021, China-lined threat actors behind the zero-day exploitation of security flaws in Microsoft Exchange servers shifted their tactics to target information technology (IT) supply chains as a way to gain early access to corporate networks.
This is based on new research from the Microsoft Threat Intelligence team, Silk Timbin (formerly Hafnium) hacking groups are currently targeting solutions such as remote management tools and cloud applications to gain footing.
“After successfully breaching the victim, Silk Tieun can use stolen keys and credentials to infiltrate customer networks and exploit various deployed applications, including Microsoft Services, to achieve spy’s goals.”
Adversary groups are rated as “resource-rich and technically efficient” and quickly use exploits to use zero-day vulnerabilities on edge devices to allow attacks to be expanded across large and wide sectors and regions.
These include information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense, government, non-governmental, non-governmental organizations (NGOs), energy, and others located in the United States and around the world.
Silk type osse has been observed relying on various web shells to achieve command execution, persistence, and data removal from the victim environment. It is also said to have demonstrated a keen understanding of cloud infrastructure, allowing it to move laterally and harvest data of interest.
At least since late 2024, attackers have been linked to a new set of methods, including the abuse of stolen API keys and qualifications related to privileged access management (PAM), cloud app providers and cloud data management companies, which involve implementing supply chain compromises for downstream customers.
“Using access obtained through API keys, actors performed reconnaissance and data collection on target devices through their management accounts,” Microsoft said, adding targets for this activity, covering primarily the state and local governments and the IT sector.
Some of the other early access routes adopted by Silk Typhoon involve the use of zero-day security flaws in the Ivanti Pulse Connect VPN (CVE-2025-0282) and password spray attacks using enterprise credentials that have emerged from leaked passwords in public repositories such as Github.
Also, what was misused by a threat actor as Zero Day –
CVE-2024-3400, Palo Alto Network Firewall command injection flaw CVE-2023-3519, CVE-2023-3519, CITRIX NETSCALER Application Delivery Control (ADC) and NetScaler Gateway CVE-2021-26855 (AKA Proxylogon) Uncertified Remote Code Executability (RCE) Vulnerabilities CVE-2021-26858, and CVE-2021-27065, a set of vulnerabilities affecting Microsoft Exchange Server
Following successful initial access, we take steps to allow threat actors to move horizontally from on-premises environments to cloud environments and leverage OAUTH applications with administrative privileges to perform email, OneDrive, and SharePoint data removal via the MSGRAPH API.
To obfuscate the origins of their malicious activities, Silk Typhoon relies on a “cover network” that includes compromised cyberoum appliances, Zyxel routers and QNAP devices, which are characteristic of actors sponsored by several Chinese countries.
“During recent activities and the historical exploitation of these appliances, the Silk Typhoon has utilized various web shells to maintain tenacity and allow actors to remotely access the victim environment,” Microsoft said.
Source link
