In January 2021, the actor threatened in China, which stands for the operation of security deficiencies in Microsoft Exchange Servers in January 2021 to focus on the supply chain of information technology as a means to obtain initial access to corporate networks.
This is according to new findings by the Microsoft intelligence group that said Silk typhoon (Previously Hafnium) Hacking Group is now aimed at IT -solutions such as remote control and cloud applications to get securing.
“After a successful compromise victim silk typhoon uses stolen keys and powers to penetrate the customer network, where they can abuse different detailed applications, including Microsoft Services and other – Note In a report published today.
The team of the competition is evaluated as “well -reviewed and technically effective”, trying to use feats for vulnerability of zero days in the edge devices for conjunctural attacks that allow them to scale their attacks on scale and in a wide range of sectors and regions.
This includes the services and infrastructure of information technology (IT), companies engaged in distance monitoring and management (RMM), managed service providers (MSPS) and branches, health care services, higher education, governments, non -governmental organizations (NGOs).
Silk -Tetifun is also observed, based on different web races to achieve commands, perseverance and expressive data from the victim’s environment. It is also said to have demonstrated a deep understanding of cloud infrastructure, which further allowed it to move to the lateral and crops of interest.
At least from the end of 2024, the attackers have been associated with a new set of methods, the main one of which concerns abuse of API keys and powers related to the management of access privileges (PAM), cloud applications and cloud -duty companies to compromise.
“Using the access obtained through the API key, the actor conducted intelligence and gathering data on the target devices through the administrator account,” Microsoft said, adding the goals of this activity, mostly covered the state and local authorities, as well as the IT sector.
Some of the other initial access routes takenCve-2025-0282) and the use of attacks on the password spray using the accounts of the enterprises that arose from password leaks on public repositories located on GitHub and others.
Also used by actor threats as zero day –
- Cve-2024-3400Lack of commands in Palo Alto Networks Firewalls
- Cve-2023-3519Vulnerability of unauthorized remote code (RCE) that affects Citrix NetsCale app controller
- Cve-2021-2685 (A Proxylonogon), CVE-2011-26857, Cve-2011-26858 and Cve-2011-27065, A A set of vulnerabilities Impact on the Microsoft Exchange server
Successful initial access is accompanied by the actor threats taken by transition from laterally from local conditions to cloud environments, as well as use OAUTH applications with administrative permits to execute email, OneDrive and SharePoint, which exports of data via MSGRAP API.
In an attempt to delay the origin of their malicious classes, the silk typhoon rests on “COVERTNETWORK“Complex compromises of cyber confusion, Zyxel and Qnap devices, a feature of several Chinese state actors.
“During the recent activities and historical operation of these devices, the silk typhoon used different web -supporters to maintain persistence and resolution to the actors to access the victims distance,” Microsoft said.
