Two-way lateral movement: Aside from abusing cloud assets and third-party services and software providers to gain access to local networks, the Silk Typhoon attackers are also proficient in jumping from on-premise environments into cloud environments. The group’s hackers regularly target Microsoft AADConnect (now Entra Connect) servers which are used to synchronize on-premise Active Directory deployments with Azure AD (now called Entra ID).Once inside a local network, the attackers will try to dump credentials from Active Directory, search passwords inside key vaults and escalate their privileges to admin.In addition to targeting IT providers, identity management providers and RMM solutions for initial access, Silk Typhoon has a history of developing zero-day exploits. In 2021, the group compromised hundreds of Microsoft Exchange servers belonging to private organizations and government agencies through zero-day exploits, prompting the FBI to obtain a court order that allowed the agency to remotely remove the deployed web shells from private servers, a move that was seen as unprecedented.
Salt Typhoon also targets compromised credentials: Since then, the group has specialized in zero-day exploits for network-edge devices, exploiting vulnerabilities in GlobalProtect Gateway on Palo Alto Networks firewalls (CVE-2024-3400), Citrix NetScaler appliances (CVE-2023-3519) and Ivanti Pulse Connect Secure appliances (CVE-2025-0282).Compromised credentials are also a big part of the group’s initial access efforts. These are the result of both password spray attacks, active collection from compromised networks and systems, as well as reconnaissance by scanning public GitHub repositories for corporate credentials and passwords. However, credentials are not always needed if there are privileged and pre-authenticated applications that can be abused to access information.”While analyzing post-compromise tradecraft, Microsoft identified Silk Typhoon abusing service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MSGraph,” the researchers said. “Throughout their use of this technique, Silk Typhoon has been observed gaining access to an application that was already consented within the tenant to harvest email data and adding their own passwords to the application.”
Defending against Silk Typhoon’s methods: Organizations should make sure all of their internet-facing servers, appliances and other devices are kept up to date. In case there is a zero-day vulnerability, forensic analysis should be performed and all potential post-compromise activities a threat actor might have performed, including lateral movement, should be investigated. Following patch cycles, any active or persistent sessions for logged in users or remote users should be terminated and reset.Microsoft said that legitimate application and service principals, service accounts, should be subject to strong controls and monitoring. These include:
Audit the current privilege level of all identities, users, service principals, and Microsoft Graph Data Connect applications (use the Microsoft Graph Data Connect authorization portal) to understand which identities are highly privileged. Scrutinize privileges more closely if they belong to an unknown identity, belong to identities that are no longer in use, or are not fit for purpose.Identify abused OAuth apps using anomaly detection policies. Detect abused OAuth apps that make sensitive Exchange Online administrative activities through App governance. Investigate and remediate any risky OAuth apps.Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are still required in the tenant.Applications that are no longer required should be removed. If apps must access mailboxes, granular and scalable access can be implemented using role-based access control for applications in Exchange Online. This access model ensures applications are only granted to the specific mailboxes required.Sign-ins from unusual locations should also be flagged, access should follow the principle of least privilege, and VPN access should be done using modern authentication methods. On-premise service accounts should not have direct permissions on cloud resources to limit lateral movement and conditional access policies should be implemented. The Microsoft report contains additional recommendations as well as Microsoft Sentinel queries to hunt for Silk Typhoon-related activities.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3840546/chinese-apt-silk-typhoon-exploits-it-supply-chain-weaknesses-for-initial-access.html
