A Chinese state-sponsored hacking group, Silk Typhoon, exploits zero-day vulnerabilities in edge devices to infiltrate IT networks and supply chains, compromising sensitive information.
Researchers observed that since late 2024, Silk Typhoon had been using stolen API keys and credentials associated with privileged access management (PAM) solutions, cloud application providers, and data management companies. This approach enables them to access downstream customer environments, primarily targeting IT infrastructure and state and local governments in the United States.
The threat actor used stolen API keys to infiltrate downstream customers and conduct reconnaissance after exfiltrating data such as US government policies, legal documents, and law enforcement investigations. Finally, Silk Typhoon resets admin accounts, deploys web shells, and creates additional user accounts to maintain access and persistence.
“After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives,” researchers explained.
Furthermore, Silk Typhoon also utilises password-spraying techniques, leveraging leaked corporate credentials from public repositories like GitHub.
Once inside a target network, Silk Typhoon dumps Active Directory credentials and steals passwords from key vaults. The cybercriminal group then targets Entra Connect (previously Microsoft AADConnect) to escalate privileges and move between on-premises and cloud environments.
Cybersecurity experts discovered that the group has abused service principals and OAuth applications to exfiltrate data via Microsoft Graph API and Exchange Web Services (EWS). They manipulate legitimate applications to blend into environments, facilitating stealthy data theft.
Silk Typhoon utilises covert networks to compromise compromised devices such as Cyeroam appliances, Zyxel routers, and QNAP devices, a tactic being used by Chinese state-sponsored actors to obfuscate their malicious activities.
Experts have urged organisations to inspect log activity related to Entra Connect servers, monitor service principal activity for unauthorised secret creation, investigate anomalies in SharePoint and email data exfiltration, review newly created accounts and analyse VPN logs for suspicious activity.
“Silk Typhoon was seen creating Entra ID applications in an attempt to facilitate this data theft. The actors would typically name the application in a way to blend into the environment by using legitimate services or Office 365 themes,” said researchers.
Organisations should also implement least privilege principles, audit privileged accounts, and monitor OAuth application activity. Multi-factor authentication (MFA) should also be a requirement for all users, especially for high-risk accounts.
In the News: BADBOX 2.0 botnet exploits 1M Android devices for cyber fraud
