Security researchers have identified a sophisticated Chinese APT group known as Salt Typhoon that has been actively exploiting Microsoft Exchange’s ProxyLogon vulnerabilities to compromise organizations worldwide.
The group, also tracked as FamousSparrow, GhostEmperor, Earth Estries, and UNC2286, has been operational since at least 2019, primarily targeting critical infrastructure in telecommunications and government sectors across the United States, Asia-Pacific, the Middle East, and South Africa.
Since 2020, Salt Typhoon has conducted prolonged espionage campaigns against government entities and Internet Service Providers.
.png
)
By 2022, they expanded their focus to include service providers supporting government and telecommunication organizations, demonstrating their strategic evolution and persistent nature.
AttackIQ researchers identified that the threat actor employs multiple backdoors and sophisticated hacking tools to maintain persistent access while minimizing detection.
Their technical analysis revealed that Salt Typhoon leverages public cloud and communication services such as GitHub, Gmail, AnonFiles, and File.io to covertly exchange commands and exfiltrate stolen data.
The group’s exploitation of ProxyLogon vulnerabilities represents a serious security concern.
ProxyLogon is a pre-authenticated Remote Code Execution (RCE) exploit chain that allows attackers to compromise any reachable Exchange server without requiring valid credentials, giving them immediate administrative access to vulnerable systems.
A key component of Salt Typhoon’s attack methodology involves PowerShell downgrade attacks to bypass Windows Antimalware Scan Interface (AMSI) logging. This technique allows them to execute malicious code while evading detection by security tools.
Analysis of Salt Typhoon’s TTPs
Salt Typhoon’s arsenal includes several sophisticated techniques for maintaining persistence.
One common method involves registry manipulation, where attackers create entries under “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” to ensure malware executes at system startup.
The group also creates scheduled tasks using commands like:-
schtasks /create /tn "test3" /tr "cmd.exe /c powershell.exe -EncodedCommand [base64payload]" /sc daily /st 12:00For credential theft, the group dumps LSASS memory using the following command to extract authentication credentials:-
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump [LSASS_PID] lsass.dmp fullThe APT group also engages in lateral movement using WMI, executing commands like:
wmic /node:[target] process call create "powershell -enc [base64payload]"Security teams are advised to prioritize patching Exchange servers, monitor for suspicious PowerShell activity, and implement robust detection mechanisms for the identified TTPs to mitigate this evolving threat.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
