Microsoft has uncovered a series of concerning activities aimed at organizations primarily located in Taiwan. This campaign, attributed to Flax Typhoon (also connected to ETHEREAL PANDA), is suspected to be orchestrated by a nation-state actor based in China.
The operation involves sophisticated techniques that could be replicated in other regions, raising concerns about potential global implications. Microsoft has chosen to make this threat public due to the significant risks it poses and the need for collective vigilance within the security community.
The Flax Typhoon campaign has been in operation since mid-2021, with its primary targets encompassing government agencies, education institutions, critical manufacturing, and information technology organizations within Taiwan. Although the impact has been concentrated in Taiwan, certain victims have also been identified in Southeast Asia, North America, and Africa.
Flax Typhoon’s tactics are centered around persistence, lateral movement, and acquiring credential access. As per established practices, Microsoft has directly notified affected parties to help bolster their security measures.
Preventive measures to counter Flax Typhoon
To respond effectively to suspected compromises, organizations are advised to take the following steps:
- Identify Compromised Accounts or Systems:
- Locate instances of LSASS and SAM dumping to detect affected accounts.
- Scrutinize compromised accounts for malicious activities or exposed data.
- Invalidate or modify credentials for all compromised accounts, considering the potential scope of compromise.
- Isolate and meticulously examine affected systems for traces of malicious actions.
- Defend Against Flax Typhoon Attacks:
- Maintain updated security patches for public-facing servers, which are attractive targets for threat actors.
- Employ methods like user input validation, file integrity monitoring, behavioral monitoring, and web application firewalls for enhanced server security.
- Monitor the Windows registry for unauthorized modifications, leveraging the Audit Registry feature.
- Utilize network monitoring and intrusion detection systems to spot unusual or unauthorized network traffic.
- Ensure Windows systems are up-to-date with the latest security patches, including MS16-075.
How to mitigate the risk of compromised accounts
Microsoft also recommends several strategies to mitigate the risk of compromised accounts and systems:
- Enforce Strong Authentication:
- Implement robust multifactor authentication (MFA) policies involving hardware security keys or Microsoft Authenticator.
- Leverage passwordless sign-in methods, such as Windows Hello and FIDO2 security keys, to reduce vulnerability.
- Set password expiration rules and deactivate unused accounts to curtail risk.
- Enhance Security Measures:
- Randomize Local Administrator passwords using tools like Local Administrator Password Solution (LAPS).
- Employ attack surface reduction rules to block or audit identified malicious activity patterns.
- Strengthen LSASS process security with features like Protective Process Light (PPL) and Windows Defender Credential Guard.
- Implement cloud-delivered protection in Microsoft Defender Antivirus for dynamic threat coverage.
- Deploy Endpoint Detection and Response (EDR):
- Utilize EDR in block mode to enable Microsoft Defender for Endpoint to neutralize threats even when other antivirus systems are passive.
The exposure of Flax Typhoon’s operations underscores the importance of robust security practices and collaboration across the security landscape. Microsoft’s proactive approach aims to empower organizations and the security community at large to bolster defenses against evolving threats like the Flax Typhoon.
Via: Tech Times