Apanindori

In January 2025, Silk Typhoon was observed exploiting a zero-day vulnerability (CVE-2025-0282) in Ivanti Pulse Connect VPN. Microsoft promptly reported this activity to Ivanti, leading to rapid resolution of the critical exploit.

This action significantly reduced the window during which sophisticated threat actors could leverage the vulnerability.

Once the hackers inside a victim network, Silk Typhoon employs sophisticated techniques to move laterally from on-premises environments to cloud infrastructure.

They typically dump Active Directory, steal passwords from key vaults, and escalate privileges. The group has specifically targeted Microsoft Entra Connect servers (formerly AADConnect) to gain access to both on-premises and cloud environments simultaneously.

The hackers have been observed manipulating service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via Microsoft Graph API.

In some cases, they gain access to existing applications that already have consent within the tenant, add their own passwords to these applications, and use this access to steal email information.

They carefully name created applications to blend into the environment by mimicking legitimate services or Office 365 themes.

Microsoft recommends organizations patch all public-facing devices immediately, validate that Ivanti Pulse Connect VPNs are updated to address CVE-2025-0282, audit privilege levels of all identities, monitor service principal sign-ins from unusual locations, and implement strong credential hygiene practices including multi-factor authentication.