China-linked Silk Typhoon APT Targets North America
A newly identified China-linked Advanced Persistent Threat (APT) group, known as Silk Typhoon or Murky Panda, has been ramping up its attacks on organizations in North America. CrowdStrike, a leading cybersecurity firm, has warned that this Chinese APT has one of the widest targeting scopes and is exploiting various vulnerabilities to gain system access.
Silk Typhoon has been active since 2020 and has been targeting multiple sectors worldwide, including information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs), healthcare, legal services, higher education, defense, government, non-governmental organizations (NGOs), and energy.
The group uses web shells for command execution and data theft, and has demonstrated a deep understanding of cloud environments. This allows them to move laterally, maintain persistence, and exfiltrate data with ease. CrowdStrike notes that Silk Typhoon heavily relies on exploiting internet-facing appliances to gain initial access and has frequently deployed web shells, including the Neo-reGeorg web shell, which is commonly used by China-nexus adversaries.
The group also has access to a low-prevalence custom malware family called CloudedHope, which provides them with advanced capabilities for lateral movement and data exfiltration. In addition, Silk Typhoon has quickly weaponized n-day and zero-day vulnerabilities to gain initial access to victim systems, including the CVE-2023-3519 vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway.
The APT group uses SOHO devices as exit nodes to mask activity, leveraging RDP, web shells, and CloudedHope to pivot into cloud networks. This tactic allows them to move laterally in a stealthy manner, avoiding common initial access methods such as stolen cloud credentials or public app exploits.
In recent months, CrowdStrike has detailed how Silk Typhoon exploited trusted cloud relationships for covert access to downstream victims. The group obtained Entra ID secrets that allowed them to impersonate service principals and access customer emails. They also compromised a Microsoft cloud solution provider, abusing Delegated Administrative Privileges (DAP) to gain elevated access.
This highlights the group's focus on intelligence collection through rare cloud-focused tactics, tactics, and procedures (TTPs). According to CrowdStrike, "MURKY PANDA poses a significant threat to government, technology, legal, and professional services entities in North America and to their suppliers with access to sensitive information."
Organizations that rely heavily on cloud environments are innately vulnerable to trusted-relationship compromises in the cloud. China-nexus adversaries like Silk Typhoon continue to leverage sophisticated tradecraft to facilitate their espionage operations, targeting numerous sectors globally.
Stay Safe Online
If you're concerned about the threat of Silk Typhoon or other APT groups, here are some tips to help keep your organization safe online:
Regularly update and patch systems with the latest security patches. Monitor cloud service provider accounts for suspicious activity. Use strong passwords and multi-factor authentication to prevent unauthorized access. Implement robust network segmentation and firewalls to limit lateral movement. Conduct regular vulnerability assessments and penetration testing to identify weaknesses.
Stay Informed
Follow us on Twitter, Facebook, and Mastodon for the latest cybersecurity news and updates. Don't forget to follow our author on @securityaffairs for the latest security-related content!