A Frontline Report of Chinese Threat Actor Tactics and Techniques

Cyber Security Threat Summary:
Microsoft threat intelligence experts are seeing a trend of Chinese threat groups deploying less desktop malware and prioritizing in stealing passwords and tokens that can be used to access sensitive systems used by remote workers. Ever since the COVID-19 pandemic, work from home has become a norm with organizations granting employees remote access to sensitive systems and resources. With some organizations lacking proper enterprise access policies, threat actors have taken this opportunity to exploit system misconfigurations and vulnerabilities. In particular, Microsoft has observed Chinese threat actors like Nylon Typhoon (formerly NICKEL) leverage exploits against unpatched systems to compromise remote access services and appliances. What’s more, after compromising these systems, the actors are using credential dumpers to obtain legitimate credentials to access victim accounts and target higher-value systems.

Security Officer Comments:
Researchers note that Chinese actors are more focused on edge devices over user endpoints, allowing them to gain network access and maintain persistence for longer periods of time. Notably, these actors will use engines like Shodan and Fofa to scan the internet and uncover vulnerabilities in devices that can be exploited for initial access. Virtual private networks (VPN)s also seem to be a popular target among Chinese actors, seeing how they eliminate the need for malware and directly enable the actors to connect to victim networks and systems.

Suggested Correction(s):
Chinese threat actors continue to refine their tactics and techniques, underscoring the importance for organizations and security personnel to persistently monitor these developments to stay protected against potential attacks.