Silk Typhoon: A Look into a Disturbing APT Threat
Understanding Silk Typhoon
Recent research from CrowdStrike has shed light on the advanced persistent threat (APT) group known as Silk Typhoon, also referred to as "Murky Panda." This group has showcased a notably advanced capability to breach trusted cloud relationships, putting many organizations at risk.
Exploiting Vulnerabilities
Silk Typhoon has demonstrated a frightening agility in weaponizing both n-day and zero-day vulnerabilities. Notable examples of these vulnerabilities include CVE-2023-3519, which affects Citrix NetScaler ADC and NetScaler Gateway, as well as CVE-2025-3928 concerning Commvault. By exploiting these vulnerabilities, the group can gain initial access to systems, highlighting the need for organizations to stay vigilant about security patches.
Techniques and Operational Methods
CrowdStrike has provided insights into the tactics, techniques, and procedures (TTPs) employed by Silk Typhoon. One of the group’s strategies involves utilizing compromised small office/home office (SOHO) devices as exit nodes. This tactic is common among various Chinese APT groups, allowing them to disguise their operations as legitimate actions within the victim’s geographical region.
Once inside a compromised network, Silk Typhoon often uses Remote Desktop Protocol (RDP), web shells like Neo-reGeorg, and sometimes even employs malware such as CloudedHope to navigate laterally. This enables them to establish a persistent foothold and allows them to pivot toward cloud environments effectively.
Supply Chain Attacks by Silk Typhoon
CrowdStrike highlights Silk Typhoon as one of the few adversaries adept at conducting trusted-relationship compromises in the cloud. According to their findings, this form of attack remains relatively under-monitored compared to more common vectors like authenticating via valid cloud accounts or exploiting public-facing applications.
By leveraging this lesser-known access method, Silk Typhoon likely aims to maintain undetected access to downstream victims, facilitating prolonged infiltration of systems.
Notable Supply Chain Incidents
The research outlines two significant software supply chain attacks by Silk Typhoon. In these incidents, the group exploited zero-day vulnerabilities to gain access to the cloud environments of Software as a Service (SaaS) providers. Their understanding of the compromised environments enabled them to engage in lateral movement to downstream customers.
In one case, at least one SaaS provider managed access via Entra ID. Silk Typhoon reportedly accessed the provider’s application registration secret, allowing them to authenticate as the service principals of the application. This access opened the door to customer environments, ultimately granting them access to sensitive customer data, including emails.
In another instance, the group targeted a Microsoft cloud solution provider, exploiting customer Entra tenants through delegated administrative privileges. By compromising a user in the Admin Agent group, Silk Typhoon gained Global Administrator privileges, which provided them with substantial control across all downstream customer accounts.
Recommendations for Defense
To combat the threats posed by Silk Typhoon, CrowdStrike shares several strategies for detection and prevention. They recommend auditing Entra ID service principals’ credentials, with a particular focus on any newly added credentials.
Additionally, enabling Microsoft Graph activity logs can enhance monitoring capabilities. This allows organizations to track which resources are accessed via Microsoft Graph, including identifying the service principals involved.
Other prudent strategies include proactive hunting for service principal activities that deviate from established norms, as well as monitoring for Entra ID service principal sign-ins originating from unrecognized networks.
In summary, as APT groups like Silk Typhoon continue to evolve, organizations must fortify their defenses and remain vigilant for any signs of intrusion.
