Cyber Security News

Chinese “Salt Typhoon” Hackers Exploit Exchange Vulnerabilities to Target Organizations

The Chinese Advanced Persistent Threat (APT) group known as Salt Typhoon, also referred to as FamousSparrow, GhostEmperor, Earth Estries, and UNC2286, has been actively targeting critical sectors worldwide.

This group has been particularly focused on telecommunications and government entities across the United States, the Asia-Pacific region, the Middle East, and South Africa since at least 2019.

Salt Typhoon is known for its sophisticated cyberespionage capabilities and extensive experience in illicit activities, employing multiple backdoors and hacking tools to maintain persistent access while minimizing detection.

Exploitation Techniques and Targets

Salt Typhoon has been observed exploiting vulnerabilities such as Microsoft Exchange’s ProxyLogon, which allows attackers to take over Exchange servers without requiring valid credentials.

This pre-authenticated Remote Code Execution (RCE) exploit chain is particularly dangerous as it enables attackers to gain full control over any reachable Exchange server.

The group also leverages public cloud and communication services like GitHub, Gmail, AnonFiles, and File.io to covertly exchange commands and exfiltrate stolen data.

Additionally, Salt Typhoon employs PowerShell downgrade attacks to bypass Windows Antimalware Scan Interface (AMSI) logging, further complicating detection efforts.

Adversary Emulation and Defense Strategies

To counter these threats, AttackIQ has developed an assessment template that emulates Salt Typhoon’s Tactics, Techniques, and Procedures (TTPs).

This template allows organizations to validate their security controls and assess their ability to defend against such sophisticated threats.

Key techniques emulated include execution methods like PowerShell and Visual Basic scripting, persistence techniques such as registry modifications, and defense evasion strategies like disabling security software.

By focusing on these critical TTPs, organizations can enhance their security posture and improve detection and prevention capabilities against Salt Typhoon’s espionage operations.

The use of this assessment template is crucial for organizations to evaluate their security control performance against recently active Chinese APT activity.

It also helps in assessing the security posture against adversaries focused on the government and telecommunications sectors.

Continuous validation of detection and prevention pipelines is essential in mitigating the risks posed by Salt Typhoon’s global espionage operations.

By prioritizing the detection and mitigation of specific techniques like DLL side-loading and scheduled tasks, organizations can significantly reduce their vulnerability to these attacks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

4 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

4 hours ago

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s Black…

4 hours ago

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals and…

4 hours ago

Phishing Campaign Uses Blob URLs to Bypass Email Security and Avoid Detection

Cybersecurity researchers at Cofense Intelligence have identified a sophisticated phishing tactic leveraging Blob URIs (Uniform…

4 hours ago

VMware Tools Vulnerability Allows Attackers to Modify Files and Launch Malicious Operations

Broadcom-owned VMware has released security patches addressing a moderate severity insecure file handling vulnerability in…

6 hours ago