Flax Typhoon is a suspected China-based, nation-state threat actor whose TTPs appear to be closely aligned with espionage objectives and extended persistence. Despite activity tracing back to mid-2021, this APT's final objectives are unknown and they have been observed mostly targeting government, education, and critical manufacturing organizations in Taiwan; Though a small subset of attacks have occurred in North America, Africa, and Southwest Asia. The tactics and techniques utilized in these attacks are easily modified for use against a broad range of networks and industries and could have disastrous outcomes if carried out against an organization. With minimal "out-of-the-box" coverage by traditional security vendors, Lumifi aims to break down the attack methods of this threat actor as well as provide coverage and mitigation guidance for potential attacks following a similar attack chain.
Flax Typhoon has been observed utilizing tools such as Mimikatz, China Chopper Webshell, Metasploit, and the SoftEther VPN client in the past, however they primarily specialize in hands-on keyboard activity as well as Living-off-the-Land techniques.
This threat actor gains initial access by exploiting known vulnerabilities in public-facing servers across a variety of services, including (but not limited to) VPN, SQL, Java, and web applications with the goal of dropping a web shell allowing for remote code execution (RCE) against the targeted server. Once the server is compromised, if the threat actor doesn't have administrative permissions, they will run a piece of malware such as Juicy Potato to obtain local system permissions to gain access to WMIC, Powershell, or Command Line with local administrator permissions.
Once full system access is achieved, Flax Typhoon disables network-level authentication for RDP and modifies the sticky keys binary to launch Windows Task Manager as a debugger, giving the threat actor access to launch a Windows command interface and create memory dumps with system level permissions. While RDP is typically running only on an internal-facing network interface, the threat actor will also install a legitimate VPN bridge to call back to the network infrastructure under their control, giving them long-term system level access to a compromised host.
To deploy this VPN, the threat actor uses one of many LOLBins, such as Powershell, BITSAdmin, or CertUtil, to download the executable for SoftEther VPN from their infrastructure. Once this file is downloaded, a service or scheduled task is created to automatically launch the VPN bridge upon startup of the compromised machine. In order to make detection more difficult, the file's name is changed to 'conhost.exe' or 'dllhost.exe' to imitate legitimate Windows components. The actor also utilizes a VPN over HTTPS mode built-in to the VPN to blend in with legitimate HTTPS traffic and helps evade most network security controls.
At this point, a foothold is established on a compromised host and an unusual pattern emerges. In some cases, LOLBins such as WinRM and WMIC will be used to move laterally to other systems on the network, or the threat actor will attempt to dump LSASS and access the SAM registry hive in order to access account password hashes to access other resources on the network via password cracking or pass-the-hash attacks. However, in most cases minimal activity occurs after persistence is established on a network. Due to this behavioral pattern and the lack of data-collection/exfiltration objectives, it is suspected that these attacks are part of a larger espionage campaign, though final objectives of this campaign have not been observed.
Lumifi's Current Coverage and Mitigation Recommendations:
Lumifi currently has a number of detections in our content library that would successfully detect this threat actor at multiple points in their attack chain. The usage of tools such as Metasploit and Mimikatz would be detected via our rule 'LMFI - Powershell Exploitation Framework Activity'. Usage of BITSAdmin or CertUtil to download a malicious file would be detected by our rules 'LMFI - Persistence using BITSadmin' and 'LMFI - Suspicious Certutil Usage' respectively. Along with these detections, we have also created detections specifically focused on this attack chain, which detect the persistence mechanisms associated with disabling NLA for RDP and spawning any suspicious processes from accessibility functions such as command-line consoles and task manager. These rules are titled 'LMFI - NLA for RDP Tampering' and 'LMFI - Suspicious Process Spawned from Accessibility Functions'.
As for mitigations and defending against Flax Typhoon, this starts with vulnerability management, especially on any systems exposed to the public internet. Additionally, registry auditing should be enabled so that any registry changes made to critical registry keys is logged and can be used for threat hunting and event correlation. RDP usage should be reduced to a minimum and any systems that are not expected to maintain RDP connections should generate an alert. Finally, utilize MFA on all accounts and regularly change passwords.