Microsoft: Stealthy Flax Typhoon Hackers Use Lolbins to Evade Detection

Cyber Security Threat Summary:
Microsoft has detected a new hacking collective referred to as Flax Typhoon. This group focuses on government bodies, educational institutions, vital manufacturing units, and IT organizations, presumably with the aim of espionage. The attackers avoid heavy usage of malware for infiltrating and controlling victim networks. Instead, they opt for utilizing existing components within the operating system, often referred to as living-off-the-land binaries (LOLBins), along with legitimate software. Active since at least the middle of 2021, Flax Typhoon primarily aimed at entities in Taiwan. Nonetheless, Microsoft has identified some affected parties in Southeast Asia, North America, and Africa as well.

In the operation monitored by Microsoft, Flax Typhoon initiated their access by taking advantage of recognized vulnerabilities in publicly accessible servers. This encompassed VPN, web, Java, and SQL applications. “The hackers dropped China Chopper, a small (4KB) yet powerful web shell that provides remote code execution capabilities. If required, the hackers elevate their privileges to administrator level using the publicly available ‘Juicy Potato’ and ‘BadPotato’ open-source tools that exploit known vulnerabilities to obtain higher permissions. Next, Flax Typhoon establishes persistence by turning off network-level authentication (NLA) through registry modifications and exploiting the Windows Sticky Keys accessibility feature to set up an RDP (Remote Desktop Protocol) connection. “Flax Typhoon can access the compromised system via RDP, use the Sticky Keys shortcut at the sign-in screen, and access Task Manager with local system privileges,” explains Microsoft. “From there, the actor can launch the Terminal, create memory dumps, and take nearly any other action on the compromised system.” To circumvent RDP connectivity restrictions of RDP to internal network, Flax Typhoon installs a legitimate VPN (virtual private network) bridge to maintain the link between the compromised system and their external server. The hackers download the open-source SoftEther VPN client using LOLBins like PowerShell Invoke-WebRequest utility, certutil, or bitsadmin, and abuse various built-in Windows tools to set the VPN app to launch automatically on system startup.” (BleepingComputer, 2023).

Security Officer Comments:
To reduce the risk of being detected, the attackers change the name to 'conhost.exe' or 'dllhost.exe,' making it appear as a legitimate Windows component. Additionally, Flax Typhoon employs SoftEther's VPN-over-HTTPS mode to disguise VPN traffic as regular HTTPS traffic. According to Microsoft, the hackers utilize Windows Remote Management (WinRM), WMIC, and other LOLBins for lateral movement. Researchers note that this China-based adversary frequently employs the Mimikatz tool to obtain credentials from the memory of the Local Security Authority Subsystem Service (LSASS) process and the Security Account Manager (SAM) registry hive. Although Flax Typhoon steals credentials, Microsoft hasn't observed them using these credentials to extract more data, leaving their primary objective unclear.

Suggested Correction(s):
Microsoft recommends these mitigations to help defend against Flax Typhoon attacks:

  • Keep public-facing servers up to date to defend against malicious activity. As prime targets for threat actors, public-facing servers need additional monitoring and security. User input validation, file integrity monitoring, behavioral monitoring, and web application firewalls can all help to better secure these servers.
  • Monitor the Windows registry for unauthorized changes. The Audit Registry feature allows administrators to generate events when specific registry keys are modified. Such policies can detect registry changes that undermine the security of a system, like those made by Flax Typhoon.
  • Use network monitoring and intrusion detection systems to identify unusual or unauthorized network traffic. If an organization does not use RDP for a specific business purpose, any RDP traffic should be considered unauthorized and generate alerts.
  • Ensure that Windows systems are kept updated with the latest security patches, including MS16-075.
  • Mitigate the risk of compromised valid accounts by enforcing strong multifactor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in methods (for example, Windows Hello, FIDO2 security keys, or Microsoft Authenticator), password expiration rules, and deactivating unused accounts can also help mitigate risk from this access method.
  • Randomize Local Administrator passwords with a tool like Local Administrator Password Solution (LAPS) to prevent lateral movement using local accounts with shared passwords.
  • Reduce the attack surface. Microsoft customers can turn on the following attack surface reduction rules to block or audit some observed activity associated with this threat:
    • Block credential stealing from the Windows local security authority subsystem (lsass.exe).
    • Block process creations originating from PSExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.
    Harden the LSASS process by enabling Protective Process Light (PPL) for LSASS on Windows 11 devices. New, enterprise-joined Windows 11 (22H2 update) installs have this feature enabled by default. In addition, enable Windows Defender Credential Guard, which is also turned on by default for organizations using the Enterprise edition of Windows 11, as well as Memory integrity (also referred to as hypervisor-protected code integrity or HVCI) for stronger protections on Windows. Set the WDigest UseLogonCredential registry value via Group Policy Object to reduce the risk of successful LSASS process memory dumping. Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors such as those exhibited by Flax Typhoon. Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.