Full Report
Silk Typhoon (a.k.a Murky Panda) achieves initial access primarily through exploiting internet-facing appliances (e.g., Citrix NetScaler ADC, CVE-2023-3519) and has also been observed compromising SOHO devices to mask activity. Once inside, the adversary deploys web shells suc...
Analysis Summary
# Threat Actor: Silk Typhoon
## Attribution & Identity
* **Aliases and Associations:** Murky Panda
## Activity Summary
Silk Typhoon's primary activity described involves exploiting internet-facing appliances for initial access, deploying web shells, maintaining persistence with custom malware, and most notably, leveraging trusted relationships within cloud environments. They have been observed compromising SaaS providers and Microsoft cloud solution providers via abuse of Entra ID application registrations and management features (DAP/GDAP) to pivot into downstream customer environments.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting internet-facing appliances (e.g., Citrix NetScaler ADC) via known vulnerabilities (e.g., CVE-2023-3519).
- **Initial Access/Evasion:** Compromising SOHO devices to mask activity.
- **Execution/Persistence:** Deploying web shells such as Neo-reGeorg.
- **Command and Control/Persistence:** Utilizing the Golang-based malware family CloudedHope for RAT capabilities, including anti-analysis and obfuscation.
- **Lateral Movement/Privilege Escalation (Cloud Focus):** Exploiting trusted relationships by hijacking service principal secrets or Global Administrator accounts in upstream providers to pivot into downstream customer environments.
- **Defense Evasion:** CloudedHope includes anti-analysis and obfuscation measures.
## Targeting
- **Sectors:** SaaS providers, Microsoft cloud solution providers, and downstream customer environments reliant on these providers.
- **Geography:** Not specified in the context provided.
- **Victims:** Downstream customer environments utilizing compromised upstream service providers.
## Tools & Infrastructure
- **Malware Families Used:** Neo-reGeorg (Web Shell), CloudedHope (Golang-based RAT with anti-analysis features).
- **Infrastructure:** Not explicitly detailed beyond the compromised cloud environments and appliance exploitation.
## Implications
The actor poses a significant threat due to their capability to leverage established, trusted relationships (DAP/GDAP) within the cloud supply chain. Successful compromise of upstream providers allows for widespread, low-detection pivoting into numerous downstream customer environments, enabling data exfiltration (specifically noted for email) and privilege escalation.
## Mitigations
- Strict patching and hardening of internet-facing appliances (e.g., Citrix NetScaler ADC).
- Reducing the attack surface by minimizing external exposure of critical infrastructure.
- Reviewing and minimizing the scope of Entra ID application registrations and delegated administrative privileges (DAP/GDAP) that grant broad access across tenant boundaries.
- Monitoring for the use and deployment of web shells and known custom malware families like CloudedHope.
- Implementing strict controls and monitoring around service principal secrets and Global Administrator accounts in cloud environments.