REDLEGG BLOG
Silk Typhoon

THREAT PROFILE: SILK TYPHOON

4/10/24 8:00 AM  |  by RedLegg's Cyber Threat Intelligence Team

THREAT TYPE(S):
State-Sponsored Threat

PLATFORMS EFFECTED:
Windows

ALIASES:
Exchange Marauder, HAFNIUM, Red Dev 13

RELATED THREATS:
China Chopper, Covenant, Godzilla, Impacket, Ligolo, MEGA, Nishang, PowerCat, Tarrask

FIRST SEEN:
2021

EXECUTIVE SUMMARY:

Silk Typhoon (aka Exchange Marauder, HAFNIUM, Red Dev 13) is a state-sponsored threat group attributed with the Peoples Republic of China (PRC). Silk Typhoon operators have primarily targeted US-based organizations such as defense contractors, infectious disease researchers, higher education institutions, and non-governmental organizations. Silk Typhoon operators have been reported to use techniques such as exploiting public facing applications such as Microsoft Exchange servers to infiltrate a target environment. Once initial access is gained, follow-on activity may be observed where web shells and malware payloads such as China Chopper, Godzilla, and Tarrask are used to execute commands related to persistence, defense evasion, credential theft, discovery, and the exfiltration of data such as personal emails or any other information gathered during the discovery process. Silk Typhoon operators leverage open-source tools such as Covenant, Impacket, Ligolo, Nishang, and Powercat. Silk Typhoon operators leverage public file sharing services via MEGA for exfiltration.

DOWNLOAD THE FULL REPORT

TACTIC: INITIAL ACCESS – TA0001

Silk Typhoon operators have been observed exploiting vulnerabilities in public facing applications such as self-hosted instances of Microsoft Exchange Server. When these vulnerabilities are exploited, associated service processes may become unstable and spawn processes associated with Windows Error Reporting.

OBSERVABLES TABLE

TYPE CONTENT NOTES
Vulnerability CVE-2021-26855 Microsoft – Remote Code Execution Vulnerability
Vulnerability CVE-2021-26857 Microsoft – Remote Code Execution Vulnerability
Vulnerability CVE-2021-26858 Microsoft – Remote Code Execution Vulnerability
Vulnerability CVE-2021-27065 Microsoft – Remote Code Execution Vulnerability

 

OBSERVABLES TABLE

TYPE CONTENT NOTES
Parent Process UMWorkerProcess.exe Microsoft Exchange Server’s Unified Messaging service
Child Process WerFault.exe OR Wermgr.exe Windows Error Reporting processes may be initiated due to crashes from deserialization as a result of exploitation

 

MITRE ATT&K TECHHNIQUES

TECHNIQUE ID
Exploit Public Facing Application T1190

 

DETECTION CAPABILITIES

DETECTOR ID NAME
FUSE-0041 Potential Unified Messaging Exploitation Attempt
FUSE-0042 Potential Exchange Unified Messaging Service Exploitation
FUSE-0050 Exchange Exploitation Used by HAFNIUM

 

Prevention Opportunities:
Upgrade to the latest version of the vendor’s software.


TACTIC: EXECUTION – TA0002

Once a vulnerability in Microsoft Exchange has been successfully exploited, Silk Typhoon operators have been observed utilizing web shells such as China Chopper to remotely execute follow-on commands. This can be observed when Microsoft Windows native processes such as the Windows Command Processor, cmd.exe is spawned by the IIS Worker Process, w3wp.exe.


For additional information on Observables, Mitre Att&ck Techniques, & Detection Capabilities - Download the Full Report

DOWNLOAD THE FULL REPORT


TACTIC: PERSISTENCE – TA0003

Silk Typhoon delivers various web shells such as China Chopper and Godzilla. Web shells allow Silk Typhoon operators to establish and maintain persistence in a target environment, while being able to execute commands at their discretion. The web shells that are deployed are also used to perform separate functions, such as verifying the presence of specific endpoint security software, exfiltration of data, and execution of arbitrary commands used to make changes in the compromised endpoints file system.

Silk Typhoon operators deploy Tarrask to establish persistence on an endpoint by creating a new scheduled task that repeats the execution of binaries associated with Tarrask after the initial execution of the Tarrask process.


TACTIC: PRIVILEGE ESCALATION – TA0004

When Silk Typhoon operators deploy Tarrask malware, Tarrask will elevate its permissions by utilizing token theft to elevate its security permissions to the same level as the Local Security Authority Subsystem Service, lsass.exe. This grants the operator the ability to evade detection by enabling them to delete the protected SD (Security Descriptor) registry value, which is used to identify users that are permitted to execute the task.


TACTIC: DEFENSE EVASION – TA0005

Silk Typhoon operators leverage Tarrask, a malware used to evade detection via the creation and modification of scheduled tasks. Once Tarrask elevates its privileges and creates an associated scheduled task, it deletes the associated SD (Security Descriptor) value located in registry.

Silk Typhoon operators utilize the native Microsoft Windows Attribute Utility attrib.exe to modify the NTFS file attributes for web shell files, assigning System level attributes, hidden file attributes, and read-only file attributes.


TACTIC: CREDENTIAL ACCESS – TA0006

Silk Typhoon operators have been observed using China Chopper to execute procdump64.exe to dump LSASS processes from memory onto disk.

Prevention Opportunities:
Enable the Attack Surface Reduction (ASR) rule “Block credential stealing from the Windows local security authority subsystem".


TACTIC: DISCOVERY – TA0007

Once Silk Typhoon operators have established persistence, various discovery commands are executed to identify more information about the compromised environment. The hostname command is used to identify the name of the host they have compromised. The whoami command is executed to identify which user is responsible for executing the IIS worker process, w3wp.exe, responsible for hosting the compromised instance of Microsoft Exchange Server on the endpoint. The nltest command is used to identify neighboring domain controllers. The tasklist command is used to identify any running processes on the compromised endpoint.


TACTIC: LATERAL MOVEMENT – TA0008

Silk Typhoon operators utilized Impacket and PsExec to laterally move throughout a target environment.

Prevention Opportunities:
Block the execution of PsExec within your environment.


TACTIC: COLLECTION – TA0009

Silk Typhoon operators utilize the PowerShell SnapIn functionality to interact with Microsoft Exchange and export data stored in user mailboxes.

Silk Typhoon operators utilize the 7zip compression utility to compress stolen data prior to exfiltration.


TACTIC: COMMAND AND CONTROL – TA0011

Silk Typhoon operators utilize Covenant, a .NET command and control framework, to establish and maintain remote access.

Silk Typhoon operators utilize Tarrask to create scheduled tasks that execute Ligolo, a reverse tunneling tool, specifying the local endpoint as the relay server.

Silk Typhoon operators utilize Nishang to initiate command and control via the Invoke-PowerShellTcpOneLine reverse shell PowerShell script.

Silk Typhoon operators downloaded and executed PowerCat, a PowerShell implementation of netcat, to establish command and control with a remotely hosted server.


TACTIC: EXFILTRATION– TA0010

Silk Typhoon operators exfiltrated stolen data by uploading it to cloud hosting and file sharing services such as MEGA.

Prevention Opportunities:
Block network connections to cloud hosting providers, such as MEGA.


TACTIC: IMPACT– TA0040

Silk Typhoon operators removed administrator accounts from the “Exchange Organization administrators” domain group by issuing commands via China Chopper on compromised endpoints.

DOWNLOAD THE FULL REPORT

Critical Security Vulnerabilities Bulletin