THREAT TYPE(S):
State-Sponsored Threat
PLATFORMS EFFECTED:
Windows
ALIASES:
Exchange Marauder, HAFNIUM, Red Dev 13
RELATED THREATS:
China Chopper, Covenant, Godzilla, Impacket, Ligolo, MEGA, Nishang, PowerCat, Tarrask
FIRST SEEN:
2021
EXECUTIVE SUMMARY:
Silk Typhoon (aka Exchange Marauder, HAFNIUM, Red Dev 13) is a state-sponsored threat group attributed with the Peoples Republic of China (PRC). Silk Typhoon operators have primarily targeted US-based organizations such as defense contractors, infectious disease researchers, higher education institutions, and non-governmental organizations. Silk Typhoon operators have been reported to use techniques such as exploiting public facing applications such as Microsoft Exchange servers to infiltrate a target environment. Once initial access is gained, follow-on activity may be observed where web shells and malware payloads such as China Chopper, Godzilla, and Tarrask are used to execute commands related to persistence, defense evasion, credential theft, discovery, and the exfiltration of data such as personal emails or any other information gathered during the discovery process. Silk Typhoon operators leverage open-source tools such as Covenant, Impacket, Ligolo, Nishang, and Powercat. Silk Typhoon operators leverage public file sharing services via MEGA for exfiltration.
TACTIC: INITIAL ACCESS – TA0001
Silk Typhoon operators have been observed exploiting vulnerabilities in public facing applications such as self-hosted instances of Microsoft Exchange Server. When these vulnerabilities are exploited, associated service processes may become unstable and spawn processes associated with Windows Error Reporting.
OBSERVABLES TABLE
| TYPE | CONTENT | NOTES |
| Vulnerability | CVE-2021-26855 | Microsoft – Remote Code Execution Vulnerability |
| Vulnerability | CVE-2021-26857 | Microsoft – Remote Code Execution Vulnerability |
| Vulnerability | CVE-2021-26858 | Microsoft – Remote Code Execution Vulnerability |
| Vulnerability | CVE-2021-27065 | Microsoft – Remote Code Execution Vulnerability |
OBSERVABLES TABLE
| TYPE | CONTENT | NOTES |
| Parent Process | UMWorkerProcess.exe | Microsoft Exchange Server’s Unified Messaging service |
| Child Process | WerFault.exe OR Wermgr.exe | Windows Error Reporting processes may be initiated due to crashes from deserialization as a result of exploitation |
MITRE ATT&K TECHHNIQUES
| TECHNIQUE | ID |
| Exploit Public Facing Application | T1190 |
DETECTION CAPABILITIES
| DETECTOR ID | NAME |
| FUSE-0041 | Potential Unified Messaging Exploitation Attempt |
| FUSE-0042 | Potential Exchange Unified Messaging Service Exploitation |
| FUSE-0050 | Exchange Exploitation Used by HAFNIUM |
Prevention Opportunities:
Upgrade to the latest version of the vendor’s software.
TACTIC: EXECUTION – TA0002
Once a vulnerability in Microsoft Exchange has been successfully exploited, Silk Typhoon operators have been observed utilizing web shells such as China Chopper to remotely execute follow-on commands. This can be observed when Microsoft Windows native processes such as the Windows Command Processor, cmd.exe is spawned by the IIS Worker Process, w3wp.exe.
For additional information on Observables, Mitre Att&ck Techniques, & Detection Capabilities - Download the Full Report
TACTIC: PERSISTENCE – TA0003
Silk Typhoon delivers various web shells such as China Chopper and Godzilla. Web shells allow Silk Typhoon operators to establish and maintain persistence in a target environment, while being able to execute commands at their discretion. The web shells that are deployed are also used to perform separate functions, such as verifying the presence of specific endpoint security software, exfiltration of data, and execution of arbitrary commands used to make changes in the compromised endpoints file system.
Silk Typhoon operators deploy Tarrask to establish persistence on an endpoint by creating a new scheduled task that repeats the execution of binaries associated with Tarrask after the initial execution of the Tarrask process.
TACTIC: PRIVILEGE ESCALATION – TA0004
When Silk Typhoon operators deploy Tarrask malware, Tarrask will elevate its permissions by utilizing token theft to elevate its security permissions to the same level as the Local Security Authority Subsystem Service, lsass.exe. This grants the operator the ability to evade detection by enabling them to delete the protected SD (Security Descriptor) registry value, which is used to identify users that are permitted to execute the task.
TACTIC: DEFENSE EVASION – TA0005
Silk Typhoon operators leverage Tarrask, a malware used to evade detection via the creation and modification of scheduled tasks. Once Tarrask elevates its privileges and creates an associated scheduled task, it deletes the associated SD (Security Descriptor) value located in registry.
Silk Typhoon operators utilize the native Microsoft Windows Attribute Utility attrib.exe to modify the NTFS file attributes for web shell files, assigning System level attributes, hidden file attributes, and read-only file attributes.
TACTIC: CREDENTIAL ACCESS – TA0006
Silk Typhoon operators have been observed using China Chopper to execute procdump64.exe to dump LSASS processes from memory onto disk.
Prevention Opportunities:
Enable the Attack Surface Reduction (ASR) rule “Block credential stealing from the Windows local security authority subsystem".
TACTIC: DISCOVERY – TA0007
Once Silk Typhoon operators have established persistence, various discovery commands are executed to identify more information about the compromised environment. The hostname command is used to identify the name of the host they have compromised. The whoami command is executed to identify which user is responsible for executing the IIS worker process, w3wp.exe, responsible for hosting the compromised instance of Microsoft Exchange Server on the endpoint. The nltest command is used to identify neighboring domain controllers. The tasklist command is used to identify any running processes on the compromised endpoint.
TACTIC: LATERAL MOVEMENT – TA0008
Silk Typhoon operators utilized Impacket and PsExec to laterally move throughout a target environment.
Prevention Opportunities:
Block the execution of PsExec within your environment.
TACTIC: COLLECTION – TA0009
Silk Typhoon operators utilize the PowerShell SnapIn functionality to interact with Microsoft Exchange and export data stored in user mailboxes.
Silk Typhoon operators utilize the 7zip compression utility to compress stolen data prior to exfiltration.
TACTIC: COMMAND AND CONTROL – TA0011
Silk Typhoon operators utilize Covenant, a .NET command and control framework, to establish and maintain remote access.
Silk Typhoon operators utilize Tarrask to create scheduled tasks that execute Ligolo, a reverse tunneling tool, specifying the local endpoint as the relay server.
Silk Typhoon operators utilize Nishang to initiate command and control via the Invoke-PowerShellTcpOneLine reverse shell PowerShell script.
Silk Typhoon operators downloaded and executed PowerCat, a PowerShell implementation of netcat, to establish command and control with a remotely hosted server.
TACTIC: EXFILTRATION– TA0010
Silk Typhoon operators exfiltrated stolen data by uploading it to cloud hosting and file sharing services such as MEGA.
Prevention Opportunities:
Block network connections to cloud hosting providers, such as MEGA.
TACTIC: IMPACT– TA0040
Silk Typhoon operators removed administrator accounts from the “Exchange Organization administrators” domain group by issuing commands via China Chopper on compromised endpoints.
