A Chinese state-sponsored hacking group known as Murky Panda (Silk Typhoon) exploits trusted relationships in cloud environments to gain initial access to the networks and data of downstream customers.
Murky Panda, also known as Silk Typhoon (Microsoft) and Hafnium, is known for targeting government, technology, academic, legal, and professional services organizations in North America.
The hacking group, under its numerous names, has been linked to numerous cyberespionage campaigns, including the wave of Microsoft Exchange breaches in 2021 that utilized the ProxyLogon vulnerability. More recent attacks, include those on the U.S. Treasury's Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment.
In March, Microsoft reported that Silk Typhoon had begun targeting remote management tools and cloud services in supply chain attacks to gain access to downstream customers' networks.
Exploiting trusted cloud relationships
Murky Panda commonly gains initial access to corporate networks by exploiting internet-exposed devices and services, such as the CVE-2023-3519 flaw in Citrix NetScaler devices, ProxyLogin in Microsoft Exchange, and CVE-2025-0282 in Ivanti Pulse Connect VPN.
However, a new report by CrowdStrike demonstrates how the threat actors are also known to compromise cloud service providers to abuse the trust these companies have with their customers.
Because cloud providers are sometimes granted built-in administrative access to customer environments, attackers who compromise them can abuse this trust to pivot directly into downstream networks and data.
In one case, the hackers exploited zero-day vulnerabilities to break into a SaaS provider's cloud environment. They then gained access to the provider's application registration secret in Entra ID, which allowed them to authenticate as a service and log into downstream customer environments. Using this access, they were able to read customers' emails and steal sensitive data.
In another attack, Murky Panda compromised a Microsoft cloud solution provider with delegated administrative privileges (DAP). By compromising an account in the Admin Agent group, the attackers gained Global Administrator rights across all downstream tenants. They then created backdoor accounts in customer environments and escalated privileges, enabling persistence and the ability to access email and application data.
... continue reading