Cyber Security News

Chinese “Salt Typhoon” Hackers Exploit Exchange Vulnerabilities to Target Organizations

The Chinese Advanced Persistent Threat (APT) group known as Salt Typhoon, also referred to as FamousSparrow, GhostEmperor, Earth Estries, and UNC2286, has been actively targeting critical sectors worldwide.

This group has been particularly focused on telecommunications and government entities across the United States, the Asia-Pacific region, the Middle East, and South Africa since at least 2019.

Salt Typhoon is known for its sophisticated cyberespionage capabilities and extensive experience in illicit activities, employing multiple backdoors and hacking tools to maintain persistent access while minimizing detection.

Exploitation Techniques and Targets

Salt Typhoon has been observed exploiting vulnerabilities such as Microsoft Exchange’s ProxyLogon, which allows attackers to take over Exchange servers without requiring valid credentials.

This pre-authenticated Remote Code Execution (RCE) exploit chain is particularly dangerous as it enables attackers to gain full control over any reachable Exchange server.

The group also leverages public cloud and communication services like GitHub, Gmail, AnonFiles, and File.io to covertly exchange commands and exfiltrate stolen data.

Additionally, Salt Typhoon employs PowerShell downgrade attacks to bypass Windows Antimalware Scan Interface (AMSI) logging, further complicating detection efforts.

Adversary Emulation and Defense Strategies

To counter these threats, AttackIQ has developed an assessment template that emulates Salt Typhoon’s Tactics, Techniques, and Procedures (TTPs).

This template allows organizations to validate their security controls and assess their ability to defend against such sophisticated threats.

Key techniques emulated include execution methods like PowerShell and Visual Basic scripting, persistence techniques such as registry modifications, and defense evasion strategies like disabling security software.

By focusing on these critical TTPs, organizations can enhance their security posture and improve detection and prevention capabilities against Salt Typhoon’s espionage operations.

The use of this assessment template is crucial for organizations to evaluate their security control performance against recently active Chinese APT activity.

It also helps in assessing the security posture against adversaries focused on the government and telecommunications sectors.

Continuous validation of detection and prevention pipelines is essential in mitigating the risks posed by Salt Typhoon’s global espionage operations.

By prioritizing the detection and mitigation of specific techniques like DLL side-loading and scheduled tasks, organizations can significantly reduce their vulnerability to these attacks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

19 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

21 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

21 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

21 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

22 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

22 hours ago