China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
Summary:
The China-linked threat actor Silk Typhoon (formerly Hafnium), known for exploiting zero-day vulnerabilities in Microsoft Exchange servers in January 2021, has evolved its tactics to focus on the IT supply chain as a means of gaining initial access to corporate networks. According to a recent report from the Microsoft Threat Intelligence team, the group now actively targets remote management tools, cloud applications, and IT service providers, leveraging these platforms to establish footholds in victim environments. By compromising these solutions, Silk Typhoon can infiltrate downstream customer networks, gaining access to sensitive systems and data.
Silk Typhoon has been observed using stolen credentials and API keys to move laterally across networks and execute supply chain attacks. The group is particularly focused on privileged access management credentials and API keys from cloud service providers and cloud data management firms, which enable them to conduct extensive reconnaissance and data collection on targeted infrastructure. Their attacks primarily impact sectors such as IT services, managed service providers, remote monitoring and management firms, healthcare, legal services, higher education, defense, government, non-governmental organizations, and the energy sector, both in the United States and internationally.
Security Officer Comments:
Since late 2024, Silk Typhoon has demonstrated an advanced understanding of cloud environments, exploiting zero-day vulnerabilities and using password spray attacks to gain initial access. The group has been linked to high-profile exploits, including CVE-2025-0282 (Ivanti Pulse Connect VPN), CVE-2024-3400 (Palo Alto Networks firewall), CVE-2023-3519 (Citrix NetScaler ADC and NetScaler Gateway), and the ProxyLogon vulnerabilities in Microsoft Exchange Server. Once inside a compromised environment, the threat actor moves laterally from on-premises systems to cloud platforms, abusing OAuth applications with administrative permissions to extract data from email, OneDrive, and SharePoint via the MSGraph API.
To evade detection, Silk Typhoon relies on a "CovertNetwork" infrastructure, composed of compromised Cyberoam appliances, Zyxel routers, and QNAP devices, a technique frequently associated with Chinese state-sponsored cyber operations. The group also deploys web shells within victim environments to maintain persistence, execute commands, and exfiltrate data. Microsoft warns that Silk Typhoon’s growing focus on cloud infrastructure and IT supply chains, coupled with its ability to rapidly exploit zero-day vulnerabilities, makes it a highly adaptable and resourceful threat actor with global implications.
Suggested Corrections:
To help detect and mitigate Silk Typhoon’s activity, Microsoft recommends the following:
https://thehackernews.com/2025/03/china-linked-silk-typhoon-expands-cyber.html
The China-linked threat actor Silk Typhoon (formerly Hafnium), known for exploiting zero-day vulnerabilities in Microsoft Exchange servers in January 2021, has evolved its tactics to focus on the IT supply chain as a means of gaining initial access to corporate networks. According to a recent report from the Microsoft Threat Intelligence team, the group now actively targets remote management tools, cloud applications, and IT service providers, leveraging these platforms to establish footholds in victim environments. By compromising these solutions, Silk Typhoon can infiltrate downstream customer networks, gaining access to sensitive systems and data.
Silk Typhoon has been observed using stolen credentials and API keys to move laterally across networks and execute supply chain attacks. The group is particularly focused on privileged access management credentials and API keys from cloud service providers and cloud data management firms, which enable them to conduct extensive reconnaissance and data collection on targeted infrastructure. Their attacks primarily impact sectors such as IT services, managed service providers, remote monitoring and management firms, healthcare, legal services, higher education, defense, government, non-governmental organizations, and the energy sector, both in the United States and internationally.
Security Officer Comments:
Since late 2024, Silk Typhoon has demonstrated an advanced understanding of cloud environments, exploiting zero-day vulnerabilities and using password spray attacks to gain initial access. The group has been linked to high-profile exploits, including CVE-2025-0282 (Ivanti Pulse Connect VPN), CVE-2024-3400 (Palo Alto Networks firewall), CVE-2023-3519 (Citrix NetScaler ADC and NetScaler Gateway), and the ProxyLogon vulnerabilities in Microsoft Exchange Server. Once inside a compromised environment, the threat actor moves laterally from on-premises systems to cloud platforms, abusing OAuth applications with administrative permissions to extract data from email, OneDrive, and SharePoint via the MSGraph API.
To evade detection, Silk Typhoon relies on a "CovertNetwork" infrastructure, composed of compromised Cyberoam appliances, Zyxel routers, and QNAP devices, a technique frequently associated with Chinese state-sponsored cyber operations. The group also deploys web shells within victim environments to maintain persistence, execute commands, and exfiltrate data. Microsoft warns that Silk Typhoon’s growing focus on cloud infrastructure and IT supply chains, coupled with its ability to rapidly exploit zero-day vulnerabilities, makes it a highly adaptable and resourceful threat actor with global implications.
Suggested Corrections:
To help detect and mitigate Silk Typhoon’s activity, Microsoft recommends the following:
- Ensure all public-facing devices are patched. It’s important to note that patching a vulnerable device does not remediate any post-compromise activities by a threat actor who gained privileged access to a vulnerable device.
- Validate any Ivanti Pulse Connect VPN are patched to address CVE-2025-0282 and run the suggested Integrity Checker Tool as suggested in their Advisory. Consider terminating any active or persistent sessions following patch cycles.
- Defend against legitimate application and service principal abuse by establishing strong controls and monitoring for these security identities. Microsoft recommends the following mitigations to reduce the impact of this threat:
- Audit the current privilege level of all identities, users, service principals, and Microsoft Graph Data Connect applications (use the Microsoft Graph Data Connect authorization portal) to understand which identities are highly privileged. Scrutinize privileges more closely if they belong to an unknown identity, belong to identities that are no longer in use, or are not fit for purpose. Admins may assign identities privileges over and above what is required. Defenders should pay attention to apps with app-only permissions as those apps might have over-privileged access. Read additional guidance for investigating compromised and malicious applications.
- Identify abused OAuth apps using anomaly detection policies. Detect abused OAuth apps that make sensitive Exchange Online administrative activities through App governance. Investigate and remediate any risky OAuth apps.
- Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are still required in the tenant. If they are no longer required, they should be removed.
- If applications must access mailboxes, granular and scalable access can be implemented using role-based access control for applications in Exchange Online. This access model ensures applications are only granted to the specific mailboxes required.
- Monitor for service principal sign-ins from unusual locations. Two important reports can provide useful daily activity monitoring:
- The risky sign-ins report surfaces attempted and successful user access activities where the legitimate owner might not have performed the sign-in.
- The risky users report surfaces user accounts that might have been compromised, such as a leaked credential that was detected or the user signing in from an unexpected location in the absence of planned travel.
- Defend against credential compromise by building credential hygiene, practicing the principle of least privilege, and reducing credential exposure. Microsoft recommends the following mitigations to reduce the impact of this threat.
- Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
- Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.
- Ensure that “break glass” account passwords are stored offline and configure honey-token activity for account usage.
- Implement Conditional Access policies enforcing Microsoft’s Zero Trust principles.
- Enable risk-based user sign-in protection and automate threat response to block high-risk sign-ins from all locations and enable multifactor authentication (MFA) for medium-risk ones.
- Ensure that VPN access is protected using modern authentication methods.
- Identify all multi-tenant applications, assess permissions, and investigate suspicious sign-ins.
https://thehackernews.com/2025/03/china-linked-silk-typhoon-expands-cyber.html