In the ever-evolving world of cybersecurity, new threats emerge, and old ones evolve. Recent activities have brought to light the espionage tactics of Flax Typhoon, a nation-state actor believed to be based in China, targeting Taiwanese organizations. Alongside this, the ransomware landscape is witnessing a shift towards Linux-focused payloads, emphasizing the need for robust cybersecurity measures.
Flax Typhoon’s Espionage Activities in Taiwan
Microsoft has recently uncovered malicious activities by Flax Typhoon, primarily targeting Taiwanese organizations. The actor’s tactics hint at espionage intentions and a desire for long-term access across various sectors. Active since mid-2021, Flax Typhoon has been focusing on government, education, manufacturing, and IT sectors in Taiwan, with some victims also found in Southeast Asia, North America, and Africa.
Interestingly, despite their extensive activities, Flax Typhoon’s end-goal remains unclear. Microsoft has not observed any data-collection or exfiltration objectives. The actor’s modus operandi revolves around persistence, lateral movement, and credential access. They employ living-off-the-land techniques, leveraging tools like China Chopper web shell, Metasploit, Juicy Potato, Mimikatz, and SoftEther VPN client. Initial access is often gained by exploiting vulnerabilities in public-facing servers. Once inside, they focus on establishing persistence and moving laterally, accessing credentials to further their reach.
For organizations, the key takeaway is the importance of proactive defense. This includes vulnerability and patch management, hardening public-facing servers, and enforcing strong multifactor authentication (MFA) policies.
The Shift in Ransomware Tactics
The ransomware landscape is undergoing a significant transformation. Threat actors are now employing more sophisticated techniques and are increasingly targeting critical infrastructure. Notably, several recent ransomware families have developed payloads focused on Linux/ESXi. This shift underscores the importance of timely patching and robust cybersecurity measures.
For instance, Akira Ransomware has been targeting Cisco VPN products since March 2023 and has evolved to target VMware ESXi virtual machines. The group behind Akira, suspected to be Russian, uses tools like RustDesk for stealthy access. Another ransomware, Monti, has returned with a new form targeting VMware ESXi servers, legal, and government organizations. Unlike its previous versions, this new iteration showcases unique behaviors and encryption techniques.
Furthermore, Cuba Ransomware is targeting critical infrastructure in the U.S. and IT entities in Latin America. It exploits vulnerabilities in Veeam Backup & Replication products and has been leveraging the “Zerologon” vulnerability in Microsoft’s NetLogon protocol for privilege escalation.
WinRAR’s Vulnerability: A Cautionary Tale
On July 10, 2023, a vulnerability in WinRAR was discovered, which threat actors exploited to distribute weaponized ZIP archives on trading forums. These archives, when opened, would run scripts installing malware, enabling attackers to withdraw money from broker accounts. This incident underscores the importance of updating software and being cautious with unknown attachments.
Conclusion
The cybersecurity landscape is in constant flux. With nation-state actors like Flax Typhoon targeting specific regions for espionage and the rise of Linux-centric ransomware, organizations must remain vigilant. Regular software updates, employee education, and robust cybersecurity measures are no longer optional but essential.