The China-linked hacking group, Silk Typhoon, which previously exploited zero-day vulnerabilities in Microsoft Exchange servers, has expanded its tactics to target the IT supply chain for initial access to corporate networks. This shift was detailed in a recent report from Microsoft’s Threat Intelligence team.

Silk Typhoon has been observed compromising IT solutions, particularly remote management tools and cloud applications, to establish a foothold within corporate environments. After breaching a victim’s network, the group uses stolen keys and credentials to infiltrate customer systems and exploit a variety of deployed applications, including Microsoft services, to further their espionage objectives.

The group is characterized as well-resourced and technically proficient, adept at leveraging exploits for zero-day vulnerabilities in various edge devices. They have targeted multiple sectors globally, including IT services, managed service providers, healthcare, and government entities.

In their operations, Silk Typhoon has utilized various web shells for command execution, persistence, and data exfiltration, demonstrating a sophisticated understanding of cloud infrastructures. Additionally, they’ve developed new techniques since late 2024, notably abusing stolen API keys tied to privilege access management and cloud service providers to conduct supply chain attacks on downstream customers.

The group’s initial access methods have included exploiting zero-day vulnerabilities in Ivanti Pulse Connect VPN and conducting password spray attacks using valid credentials sourced from public leaks. Other vulnerabilities exploited by Silk Typhoon encompass command injection flaws in Palo Alto Networks firewalls and remote code execution vulnerabilities affecting Citrix systems, as well as flaws tied to Microsoft Exchange.

Following successful infiltrations, Silk Typhoon aims to expand its reach from on-premises networks to cloud environments, employing OAuth applications with administrative permissions for data exfiltration via the Microsoft Graph API.

To obfuscate their activities, they have deployed a network of compromised devices, including Cyberoam appliances and Zyxel routers, which has been a common tactic among state-sponsored hacking groups from China. These measures enable them to maintain persistence within victim environments and facilitate remote access to their targets.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.