Blog

The Camouflage Killer: How the Flax Typhoon Hack Weaponized Legitimate Software

Sep 08, 2023

blog cover-How Flax Typhoon Hack Weaponized Legitimate Software

Background

On August 24, 2023, Microsoft’s Threat Intelligence Report identified a state-sponsored activity group named “Flax Typhoon”. With their operational base located in China, they direct their espionage efforts towards numerous Taiwanese organizations in sectors such as government, education, manufacturing, and IT companies. Their operations date back to at least the middle of 2021. Beyond Taiwan, traces of their activities have been observed in Southeast Asia, North America, and Africa.

What stands out about Flax Typhoon is their minimal reliance on malicious software. Their modus operandi largely depends on using legitimate tools built into operating systems and other typically benign software. This allows them to discreetly lurk within the networks of victim organizations. To gain initial access, Flax Typhoon exploits known vulnerabilities and deploys Web shells. They then use command-line tools and VPN connections for persistent access, with a clear emphasis on persistence, lateral movement across networks, and credentials access.  Among the various tools and techniques Flax Typhoon utilizes are the China Chopper Web shell, Metasploit, the Juicy Potato privilege escalation tool, Mimikatz, and the SoftEther VPN client. Microsoft has proactively notified affected clients and provided protective measures in hopes of preventing significant damages.

The purpose of this article is to flesh out the techniques used by this threat actor and to share mitigation steps and best practices. Employing advanced security monitoring tools, such as Stellar, is highly recommended to detect and counter such stealthy attacks.

 

A Closer Look at Flax Typhoon’s Hacking Techniques

The Microsoft Threat Report has extensively discussed the tools used and the specifics. Hence, in this blog, we’ll pivot our focus to the process and its unique characteristics. Drawing upon the threat intelligence from Microsoft and aligning with the MITRE ATT&CK framework, our goal is to help readers swiftly grasp how the attackers operate and the techniques they employ. This is intended to spur enterprises to consider the precise measures they might adopt for defense.

 

Initial Access – TA0001

Flax Typhoon capitalizes on known vulnerabilities within Public-Facing Applications [T1190]. These services could range from VPNs and Web applications to Java and SQL applications. Upon identifying a vulnerability, they deploy a Web shell [T1505.003], such as the China Chopper, which enables them to remotely execute code on the server.

 

Privilege Escalation – TA0004

In instances where the access obtained through the Web shell isn’t of an administrative level, Flax Typhoon will attempt to escalate privileges. They download and execute specific malicious software capable of exploiting known vulnerabilities to attain higher-level permissions on the local system [T1068, T1546.015]. Tools within their malicious software repertoire may include Juicy Potato, BadPotato, and other open-source utilities. As depicted in Table 1, both Juicy Potato and BadPotato can be likened to two different brands with functionally equivalent “master keys”. While Juicy Potato achieves elevated permissions by mimicking legitimate COM objects within Windows, BadPotato tricks the “guard” (NTLM authentication) to achieve similar ends.

Table 1. Attack on User Privileges

Tool

Description

Principle

Juicy Potato

A common Windows local privilege escalation tool, used for hijacking Windows services and processes. Being open source, it can easily be found online. This tool is often employed in backdoor attacks or other assaults that require elevated user privileges.

Its primary function is to hijack Windows' COM (Component Object Model) objects. In simple terms, COM objects are mechanisms within Windows used for communication between different applications and services. Juicy Potato impersonates a legitimate COM object to gain higher execution privileges.

BadPotato

A tool used for local privilege escalation in Windows, serving a purpose similar to Juicy Potato. It's also open source and is typically utilized in sophisticated attack patterns.

It exploits vulnerabilities present in the Windows NTLM authentication process. NTLM (NT LAN Manager) is a protocol used for authentication within Windows networks. BadPotato "forges" or "deceives" this authentication process to gain elevated privileges.

 

Persistence – TA0003

Once Flax Typhoon is able to access the Windows Management Instrumentation Command Line (WMIC), PowerShell, or Windows Terminal [T1059] with local administrator privileges, the attacker establishes a persistent method to access the infected system using the Remote Desktop Protocol (RDP) [T1021]. It is worth noting that when using RDP, stringent authentication is typically required to gain access. For instance, Network Level Authentication (NLA) mandates that the connecting user authenticate with the remote system prior to establishing a full remote session and displaying the Windows login screen. However, the attacker has found a way to bypass the authentication process on Windows by altering registry entries to disable NLA. This technique exploits a feature in Windows known as “Sticky Keys”. Originally, this was designed as an accessibility feature for users with physical disabilities, allowing them to press modifier keys (such as Shift, Ctrl, Alt) one at a time, rather than simultaneously. When a user presses the Shift key five times in succession at the login screen, it triggers a program named “sethc.exe”, typically used to enable or manage Sticky Keys. Flax Typhoon abuses this feature [T1546.008], modifying the Windows registry associated with sethc.exe and adding certain parameters. Consequently, when sethc.exe is triggered, the Windows Task Manager—a robust system monitoring and management tool—is launched with elevated privileges. Given the elevated privileges of the Task Manager, the attacker can execute numerous unauthorized operations, including but not limited to terminating processes and altering system settings. This is tantamount to the attacker unlocking nearly all doors within the compromised system (i.e., gaining system privileges and executing almost any other operation).

 

Credential Access – TA0006

Once Flax Typhoon establishes a foothold on the target system, the next step is to steal the user’s login credentials, which may passwords or encrypted password hashes. They mainly target two places where local system passwords are stored: firstly, within the memory process of the Local Security Authority Subsystem Service (LSASS) [T1003.001] and secondly, the Security Account Manager (SAM) registry hive [T1003.002]. In essence, these two locations serve as the “password safes” within a Windows computer. To “crack open” these safes and extract the passwords within, Flax Typhoon often employs a tool called Mimikatz. Once they obtain these password hashes, they can then crack them offline or use them for Pass the Hash (PtH) attacks [T1550.002] to further access other computers or systems as easily as a legitimate user.

 

Lateral Movement – TA0008

As previously mentioned, Flax Typhoon establishes a persistent method to access infected systems using the Remote Desktop Protocol (RDP). However, to allow the attacker to access the infected system from an external network at any time, they have to overcome the limitation that RDP is generally used only within internal network interfaces, given the widespread cybersecurity policies that restrict RDP in today’s organizations. To achieve external network access to the infected system, Flax Typhoon leverages the installation of legitimate VPNs, enabling the compromised system to automatically connect to the attacker-controlled network infrastructure.

Should Flax Typhoon need to engage in lateral movement to access other systems on the infected network, the attackers, in addition to RDP, will utilize “Living Off The Land Binaries” (abbreviated as LOLBins), which include Windows Remote Management (WinRM) [T1021.006] and WMIC [T1047].

 

Command and Control – TA0011

To successfully deploy and maintain the VPN connection for persistence, Flax Typhoon employs SoftEther VPN, a legitimate and open-source VPN tool. As this tool is legitimate, antivirus software typically doesn’t flag it. Attackers might use legal tools within Windows, as described in Table 2, such as PowerShell’s Invoke-WebRequest, certutil, or Bitsadmin, to download SoftEther VPN. Furthermore, Flax Typhoon utilizes Windows’ Service Control Manager (SCM) to set up a service that causes the VPN connection to automatically start every time the system boots up. This allows the attacker to maintain availability of the infected system and consistently establish RDP connections.

Table 2. Abuse of Command and Control

Tool

Description

Principle

PowerShell Invoke-WebRequest

This is a PowerShell command, primarily used for downloading data from the network or interacting with web services.

It essentially serves as an HTTP client, capable of sending various HTTP requests (GET, POST, PUT, etc.). As this tool is built into most Windows systems, it might be considered normal behavior by cybersecurity tools, which is one reason it could be potentially abused.

certutil

This tool was originally designed for managing certificates, but it also has an option for downloading files.

When used for downloading, it utilizes the HTTP protocol to fetch data from a specified URL. Since its primary purpose isn't file downloading, antivirus software might not immediately identify its potential misuse.

Bitsadmin

A command-line tool used for initiating download or upload tasks and monitoring their progress.

It leverages the Background Intelligent Transfer Service (BITS) technology, allowing files to resume transmission after network disconnections and reconnections. Although this tool is somewhat dated, it still exists on many Windows systems. As it's not directly associated with browsers or other common network tools, its misuse might be less easily detected.

 

Defense Evasion – TA0005

Flax Typhoon renames the executable files of the SoftEther VPN tool to innocuous, system-related names, such as conhost.exe or dllhost.exe. As a result, it becomes challenging to detect anomalies when someone checks the process list. They employ a unique mode tactic called VPN-over-HTTPS, making the network traffic appear like regular HTTPS traffic, which is typically not intercepted by network security devices.

Additionally, Flax Typhoon seeks out what are termed “system restore points”. These restore points serve as emergency backups; if there’s a system issue, users can use them to revert the system to a prior state. However, Flax Typhoon leverages this information to better understand the target system, and possibly even to erase any traces that could expose their actions [T1070].

 

Implications for Critical Infrastructure Sectors

Flax Typhoon’s attack strategy is sophisticated. Once attackers infiltrate a target organization’s system and gain administrative rights, they employ a layered, multifaceted approach to ensure they can consistently and discreetly access the organization’s systems. Primarily, they exploit the misuse of built-in Windows functionalities. This makes defense especially challenging because organizations can’t simply block or delete these tools without possibly affecting standard system operations.

However, many OT/ICS attacks may be the result of malware impacts from the IT side, leading to data loss, hijacking, or even direct destructive impacts on ICS/OT assets. In certain cases, cyber-espionage activities can go deeper, and they might choose to target PLC/DCS to shut down production lines, introducing security vulnerabilities. Therefore, understanding and preparing for these specific scenarios is paramount. The availability, stability, and security of critical infrastructure operations are vital for business continuity. Organizations must contemplate reducing risks of interruptions due to system failures, unauthorized changes, or security incidents to ensure consistent product and service delivery to clients.

From the Purdue model’s perspective, levels 4 and 5 are relatively easier to detect and intercept. The reason is straightforward: there are numerous IT security solutions across email, endpoints, networks, and even the cloud. Still, they also lead to alert fatigue for security teams, making security management more complex and providing attackers opportunities to evade IT security solution detection. Once attackers penetrate OT/ICS (below layer 3), threat detection becomes increasingly challenging because it might be a meticulously orchestrated targeted attack. This could result in catastrophic consequences, such as downtimes, data breaches, or even safety incidents involving personnel. It’s crucial to note that the strategies, techniques, and procedures within Flax Typhoon that could occur in an OT/ICS environment require special attention.

Proactively Identified Vulnerabilities/Threats

Flax Typhoon gains initial access through known software vulnerabilities. Many ICS/OT systems might also enable remote access, such as VPN. It therefore follows that an organization’s cybersecurity team needs to continuously monitor for software vulnerabilities, especially for publicly facing applications like VPNs and Web services. For instance:

  1. Assessing key vulnerabilities (severity and impact) and whether the threats affect the organization using both external and internal threat intelligence.
  2. Mitigating serious vulnerabilities through patching or containment.
  3. Real-time asset management for unauthorized hardware/software installed on machines, and unauthorized devices in the network.

 

Strengthen Authentication and Access Control

In OT environments, many older control systems may not have been securely designed and might run outdated operating systems or software. This means tools like Juicy Potato or BadPotato could gain local administrative rights more easily. As such, implementing strict permission management and authentication mechanisms, such as Multi-Factor Authentication (MFA) and the principle of least privilege, is critical.

 

Study the Expected Configuration and Behavior of Each Device

Flax Typhoon establishes persistence in the system, often utilizing legitimate built-in Windows functionalities and even abusing assistive features to achieve its objectives. Management tools like WMIC and PowerShell might not be strictly restricted in ICS/OT environments as they are used for maintenance and monitoring. Organizations should monitor the usage of these tools and understand the expected configuration and behavior of each device. Given the slight differences in each device, this operation should be executed uniquely for each. By continually analyzing relevant telemetry data from the device, any changes or deviations will be detected and compared against established fingerprints, prompting a response. This approach mainly focuses on detecting changes, especially unexpected ones, to minimize the chance of hackers successfully elevating privileges.

 

Enhance Network Segregation and Secure Remote Access

Flax Typhoon uses Remote Desktop Protocol (RDP) and VPN for its attacks. Restricting which devices and personnel can remotely access the system and what they can access effectively reduces risks. As OT networks are often isolated from IT networks, any behavior crossing this boundary (like using VPNs) should be viewed with high suspicion. Firewalls should employ a whitelist control approach for scrutinizing and approving IT network connections. Also, managing accounts and access controls for remote access is vital to prevent unauthorized entries. Strategies include:

  1. Clearly defining remote access policies and procedures.
  2. Designing remote access gateways (e.g., bastion hosts) to ensure secure remote access.
  3. Enabling gateway access based on requests and requiring prior approval.
  4. Limiting the number of users with remote access rights.
  5. Regularly reviewing and updating access rights.
  6. Monitoring remote access activities and maintaining logs for audits.
  7. Using strong encryption and secure communication protocols.

 

Network Traffic Analysis and Filtering

Flax Typhoon utilizes specialized techniques to mask its network traffic, making it resemble regular HTTPS traffic. To address this issue, monitoring these unusual traffic patterns could be an effective defensive measure. For visibility and control over cybersecurity, it is essential to implement security monitoring, detection, and response to identify and address cyber threats and incidents in real time, mitigating the impact of threats and incidents on manufacturing systems, data, and production. Organizations might consider using advanced traffic analysis tools, which can detect abnormal patterns even when attackers employ encryption or obfuscation; common tools include OT intrusion detection/prevention systems and OT EDR.

 

Establish an Emergency Response Plan

Given that Flax Typhoon seeks out system restore points to conceal its actions, it is imperative to delineate and implement an incident response plan to swiftly and effectively identify breaches following an intrusion, restore systems, and eradicate attackers. This could entail remediating or isolating the affected systems, ideally employing methods of automatic disconnection and tool isolation. Subsequent steps should include ascertaining the root cause, investigating the source of the threat, and identifying the directly/indirectly impacted areas. Lastly, it is vital to patch vulnerabilities and enhance security measures to preempt or monitor future threats.

 

Educate and Train Employees

Flax Typhoon employs many seemingly legitimate tools and methods for its attacks, making it harder to detect. Educating employees to recognize these sophisticated attack techniques is vital.

 

How TXOne Networks Can Combat the Camouflage Killer

Stellar’s CPSDR: Industry’s Premier Solution for Operational Protection

TXOne Networks understands the unique characteristics of the industrial control sector. Coupled with its leading threat research center and comprehensive threat intelligence database, it helps clients block the latest attacks. Specifically designed for maintaining operational stability, TXOne Networks’ Stellar solution introduces the industry-first OT native integrated system detection and response (CPSDR) technology. This can leverage each OT environment’s unique context and behavior to produce specific situational intelligence decisions. It can not only detect potential unforeseen changes in equipment but also suppress them before they lead to instability. In other words, any attack attempting something on a device will be detected, not because the specific “consequences” of the malware are identified, but by proactively providing high-precision alerts for system abnormal operations before the threatening behavior occurs. Coupled with comprehensive analysis, this overcomes the common issue of AI tools lacking OT usage scenarios, which can assist companies in achieving complete defense.

This can counter known threats and extend protection against unknown threats, intercepting every attack. As all changes are detected and suppressed, there’s no need to waste precious time determining its threat level, significantly speeding up response time. Even if a threat penetrates the IT system, once it reaches the OT environment, CPSDR will stop it. This is what we refer to as contextualized security operations.

The key to CPSDR is establishing a unique fingerprint for each device and its digital agent. The baseline configuration parameters of this fingerprint come from a repository containing information on over 8,000 devices, applications, and certificates, including leading manufacturers like Rockwell, GE, and Honeywell. This fingerprint is also based on the device’s standard operating pattern derived from multiple data points. Agents constantly evaluate their host devices and detect any deviations from norms. These individual agents can then detect without affecting the device. This is how CPSDR provides protection while optimizing operational stability. With CPSDR, organizations can feel confident about their network security status and operational consistency.

 

Edge Network Defense Solution: Enhancing Network Isolation, Analysis, and Remote Access Security

In addition to endpoint protection, TXOne Networks advocates the principle of least privilege through its Edge network defense solution. This enables businesses to shrink the OT attack surface, reduce OT cyberattacks, enhance operational performance, and lessen the impact of human error. Implementing fine-grained access control at various tiers allows businesses to strike a balance between accessibility and security while shielding crucial systems. Furthermore, by utilizing the Edge series network-based virtual patch technology, a protective barrier can be created around legacy OS or unpatched assets, thwarting attackers from exploiting network vulnerabilities to access the system.

 

Conclusion

In the industrial OT/ICS environment, safeguarding operational continuity is paramount. That’s why TXOne Networks developed the Cyber-Physical Systems Detection and Response (CPSDR) framework. By harnessing the unique attributes of devices and a comprehensive security strategy, CPSDR ensures that even the most cunning intruders won’t go unnoticed. This is achieved by monitoring for any alterations in device fingerprints, effectively stopping attacks in their tracks. Our mission is clear: to protect critical infrastructures and manufacturing sectors, triumph over cybersecurity challenges, and maintain uninterrupted operations. Even against the most concealed threats, such as the Flax Typhoon hack’s artful disguise, CPSDR stands to be a highly effective defender, thanks to its intrinsic strengths.

TXOne image
TXOne Networks

Need Assistance with OT Security ?

Our team is here to assist with OT security challenges and provide guidance on implementing effective solutions.​