Breaking Down Silk Typhoon’s Targeted Attacks On It Service Providers

---

Microsoft Threat Intelligence has identified a shift in Silk Typhoon’s tactics, a Chinese state-sponsored espionage group, now targeting IT supply chain companies. The group is exploiting unpatched vulnerabilities in remote management tools and cloud applications to gain access, steal credentials, and move laterally within victim networks. Silk Typhoon is adept at abusing stolen API keys and conducting reconnaissance to exfiltrate data from targeted organizations.

Severity Level: High

Threat Details

1. Initial Access:

• Silk Typhoon exploits vulnerabilities in third-party IT solutions, conducts password-spraying attacks, and abuses stolen API keys.
• Exploited Vulnerabilities
• Silk Typhoon has a history of leveraging zero-day vulnerabilities, including:
  • CVE-2025-0282 – Ivanti Pulse Connect VPN
  • CVE-2024-3400 – Palo Alto Networks PAN-OS
  • CVE-2023-3519 – Citrix NetScaler Gateway
  • CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 – Microsoft Exchange Servers

2. Execution & Persistence:

• Deploys Web Shells: Installs malicious scripts to execute commands remotely and maintain persistence in compromised servers.
• Establishes new accounts with admin privileges. Deletes security logs to cover tracks.

3. Privilege Escalation & Lateral Movement:

• Dumping Active Directory Credentials: Steals admin credentials from compromised identity providers. Exploits AADConnect (Entra Connect) servers for cloud access.
• Moving from On-Premises to Cloud: Uses stolen credentials to access Microsoft 365, OneDrive, and SharePoint. Exploits service principals for cross-tenant movement.
• Hijacks Multi-Tenant Applications: Compromises applications with OAuth permissions. Uses existing, trusted apps to evade detection.

4. Data Exfiltration:

• Uses MSGraph API & Exchange Web Services (EWS) for data extraction. Targets emails related to government policy, legal investigations, and corporate data.
• Downloads sensitive SharePoint & OneDrive files from compromised Microsoft 365 environments.

5. Command & Control (C2) & Obfuscation:

• Routes traffic through compromised Cyberoam appliances, Zyxel routers, & QNAP devices.
• Utilizes short-lease VPS servers for anonymity.

6. Affected sectors:

IT services and infrastructure, remote monitoring and management (RMM) companies, MSPs and affiliates, healthcare, legal services, higher education, defense, government, NGOs, energy, and others.

7. Affected regions:

Worldwide.

Recommendations

1. Ensure all public facing devices are patched.
2. Ensure that VPN access is protected using modern authentication methods.
3. Validate any Ivanti Pulse Connect VPN are patched to address CVE-2025-0282 and run the suggested Integrity Checker Tool as suggested in their Advisory. Consider terminating any active or persistent sessions following patch cycles.
4. Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are still required in the tenant. If they are no longer required, they should be removed.
5. Identify all multi-tenant apps, assess permissions, & investigate suspicious sign-ins.
6. Monitor for service principal sign-ins from unusual locations.
7. Audit the current privilege level of all identities, users, service principals, and Microsoft Graph Data Connect applications (use the Microsoft Graph Data Connect authorization portal) to understand which identities are highly privileged. Scrutinize privileges more closely if they belong to an unknown identity, belong to identities that are no longer in use, or are not fit for purpose.
8. Inspect log activity related to Entra Connect serversfor anomalous activity.
9. Analyze any observed activity related to use of Microsoft Graph or eDiscovery particularly for SharePoint or email data exfiltration
10. Look for newly created users on devices impacted by vulnerabilities targeted by Silk Typhoon and investigate virtual private network (VPN) logs for evidence of VPN configuration modifications or sign-in activity during the possible window of compromise of unpatched devices.

MITRE ATT&CK

TACTIC	TECHNIQUE	ID	DETAILS
Initial Access	Exploit Public-Facing Applications	T1190	Uses zero-day vulnerabilities (e.g., CVE-2025-0282, CVE-2024-3400, CVE-2023-3519) to compromise remote management tools, VPNs, and cloud apps.
	Valid Accounts	T1078	Uses stolen credentials from API keys, password spraying, and leaked passwords.
	Supply Chain Compromise	T1195.002	Gains access to IT service providers to infiltrate downstream customers.
Execution	Web Shells	T1505.003	Deploys web shells for remote execution and persistence on compromised servers.
	Command and Scripting Interpreter	T1059	Executes malicious PowerShell or Bash scripts for privilege escalation and system reconnaissance.
Persistence	Create Account	T1136	Creates new admin accounts after initial access to maintain persistence.
	Account Manipulation	T1098	Resets admin passwords, modifies permissions on OAuth apps and Microsoft Graph API access.
	Abuse of Service Principals	T1098.003	Hijacks OAuth applications for email and data exfiltration.
Privilege Escalation	OS Credential Dumping	T1003	Dumps Active Directory credentials and escalates privileges using AADConnect.
	Exploitation for Privilege Escalation	T1068	Uses exploits in cloud services to escalate privileges (e.g., exploiting AADConnect servers).
Defense Evasion	Indicator Removal on Host	T1070	Deletes logs, clears admin activity trails, and resets API keys to avoid detection.
	Rootkit	T1014	Deploys rootkits in compromised network devices (Zyxel routers, Cyberoam appliances).
Credential Access	Credentials from Password Stores	T1555	Extracts passwords from key vaults, password managers, and Active Directory.
Lateral Movement	Exploit Remote Services	T1210	Exploits unpatched IT infrastructure (VPNs, PAM, cloud management apps).
Collection	Email Collection	T1114	Uses Microsoft Graph API to extract emails from OneDrive, SharePoint, and Exchange.
	Data from Cloud Storage	T1530	Exfiltrates sensitive documents from Microsoft 365, SharePoint, and cloud repositories.
Command & Control	Use of Covert Networks	T1090.002	Routes C2 traffic through compromised routers, VPN appliances, and leased VPS servers.
Exfiltration	Exfiltration Over C2 Channel	T1041	Sends stolen data through encrypted covert channels (VPNs, proxies).
Impact	Data Destruction	T1485	Modifies or deletes security logs to disrupt forensic analysis.

Source:

• https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.