Microsoft Threat Intelligence has identified a significant shift in tactics by Silk Typhoon, a Chinese state-sponsored espionage group that has begun targeting common IT solutions including remote management tools and cloud applications to gain initial access to organizational networks. Microsoft recommends organizations patch all public-facing devices immediately, validate that Ivanti Pulse Connect VPNs are updated to address CVE-2025-0282, audit privilege levels of all identities, monitor service principal sign-ins from unusual locations, and implement strong credential hygiene practices including multi-factor authentication. Since late 2024, Silk Typhoon has been observed abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies. The group has specifically targeted Microsoft Entra Connect servers (formerly AADConnect) to gain access to both on-premises and cloud environments simultaneously. The hackers have been observed manipulating service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via Microsoft Graph API. Microsoft researchers note that after successfully stealing API keys, the hackers access downstream customers and tenants, perform reconnaissance, collect sensitive data, and implant web shells for persistence.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 05 Mar 2025 16:15:14 +0000