Security News > 2023 > August > Microsoft: Stealthy Flax Typhoon hackers use LOLBins to evade detection
Microsoft has identified a new hacking group it now tracks as Flax Typhoon that argets government agencies and education, critical manufacturing, and information technology organizations likely for espionage purposes.
Operating since at least mid-2021, Flax Typhoon mainly targeted organizations in Taiwan, although Microsoft discovered some victims in Southeast Asia, North America, and Africa.
Observed Flax Typhoon TTPs. In the campaign Microsoft observed, Flax Typhoon gained initial access by exploiting known vulnerabilities in public-facing servers, including VPN, web, Java, and SQL applications.
"Flax Typhoon can access the compromised system via RDP, use the Sticky Keys shortcut at the sign-in screen, and access Task Manager with local system privileges," explains Microsoft.
Microsoft has not observed Flax Typhoon using the stolen credentials to extract additional data, which makes the actor's main objective unclear at the moment.
Registry monitoring could help catch modification attempts and unauthorized changes like those performed by Flax Typhoon to disable NLA. Organizations that suspect a breach from this particular threat actor need to thoroughly examine their networks, as Flax Typhoon's long dwell periods allow compromising multiple accounts, and alter system configuration for long-term access.