Flax Typhoon targeting Taiwan, Ransomware Emphasizing Linux-Centric Payloads

Flax Typhoon: Microsoft Uncovers Espionage Tactics Targeting Taiwan       

Microsoft has detected malicious activities primarily targeting Taiwanese organizations by a nation-state actor named Flax Typhoon, which is believed to be based in China.[1] The actor’s tactics suggest intentions of espionage and long-term access to various industries. Despite extensive activities, Flax Typhoon does not seem to have a clear end-goal in this campaign, as Microsoft did not observe data-collection or exfiltration objectives. 

Active since mid-2021, Flax Typhoon has targeted government, education, manufacturing, and IT sectors in Taiwan, with some victims in Southeast Asia, North America, and Africa. The actor’s focus is on persistence, lateral movement, and credential access. Flax Typhoon employs living-off-the-land techniques, using tools such as China Chopper web shell, Metasploit, Juicy Potato, Mimikatz, and SoftEther VPN client. The actor gains initial access by exploiting vulnerabilities in public facing servers. The group uses tools like Juicy Potato, to establish persistence via (Remote Desktop Protocol), and SoftEther VPN to set up command and control. Once established, Flax Typhoon accesses credentials using tools like Mimikatz to target the LSASS process memory and SAM registry hive.  

The techniques deployed by Flax Typhoon can easily be reused in targeted attacks. Defenders should hunt for signs of compromise shared by Microsoft and adhere to basic security hygiene including but not limited to vulnerability and patch management, hardening on public-facing servers, and enforcing strong multifactor authentication (MFA) policies. 

*** This is a Security Bloggers Network syndicated blog from EclecticIQ Blog authored by Jörg Abraham. Read the original post at: https://blog.eclecticiq.com/flax-typhoon-targeting-taiwan-ransomware-emphasizing-linux-centric-payloads