Microsoft Threat Intelligence has noted a notable change in the strategies employed by Silk Typhoon, a Chinese espionage group, which is now focusing on widely used IT solutions like remote management tools and cloud applications for initial access. This well-funded and skilled threat actor has shown a broad targeting range among Chinese cyber threats, taking advantage of vulnerabilities in edge devices and quickly transitioning from discovery to exploitation.
Since late 2024, Silk Typhoon has been seen misusing stolen API keys and credentials linked to privilege access management (PAM), cloud application providers, and cloud data management firms. This tactic enables the threat actor to infiltrate the downstream customer environments of the initially compromised organizations. The group has also achieved initial access through effective password spray attacks and other password exploitation methods, including finding leaked corporate passwords in public repositories.
Silk Typhoon operates across various sectors and regions, including IT services, remote monitoring and management, managed service providers, healthcare, legal services, higher education, defense, government, NGOs, and energy, primarily in the United States and worldwide.
The threat actor has shown a strong understanding of cloud deployments and configurations, which facilitates effective lateral movement, persistence, and quick data exfiltration within compromised environments.
Since 2020, Silk Typhoon has employed different web shells for executing commands, maintaining persistence, and extracting data.
Recently, the group has been noted for using stolen API keys to infiltrate downstream customers of initially breached companies, conducting reconnaissance and gathering data from targeted devices through admin accounts.
They have also been observed resetting default admin accounts, implanting web shells, creating new user accounts, and erasing logs of their activities.
Microsoft has informed affected or compromised customers, offering essential guidance for securing their systems.
The company suggests several mitigation measures, such as reviewing log activities related to Entra Connect servers, analyzing newly created applications, examining multi-tenant applications, and investigating any activities linked to Microsoft Graph or eDiscovery, especially concerning SharePoint or email data exfiltration.
To counter these threats, Microsoft recommends that organizations ensure all public-facing devices are updated, implement robust controls and monitoring for security identities, and protect against credential compromise by maintaining credential hygiene and adhering to the principle of least privilege.
Furthermore, organizations should adopt Conditional Access policies that align with Microsoft’s Zero Trust principles and enable risk-based user sign-in protection.
Silk Typhoon is constantly adapting its strategies, so organizations need to stay alert and take proactive steps in their cybersecurity efforts to defend against this advanced threat actor that is focusing on the IT supply chain.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
