Flax Typhoon: A Chinese State-Sponsored Group Exploiting 66 Vulnerabilities to Build a 260k Device Botnet

Flax Typhoon (also known as UNC5007, Red Juliet, Ethereal Panda, and Storm-0919) first emerged in 2021. The group had flown under the radar due to its primary focus on Taiwanese targets, with additional victims in Hong Kong and parts of Africa. Believed to operate primarily for cyber espionage, Flax Typhoon targeted sectors such as education, IT, and critical infrastructure. According to Microsoft, the group prioritizes stealth by minimizing the use of malware and relying on legitimate software, thereby emphasizing defense evasion over speed.

‍

The now-dismantled botnet, active since 2021, consisted of 260,000 devices globally— almost half located in the US. The devices compromised included IoT gadgets, SOHO routers, firewalls, and network storage devices. Many of these devices were no longer supported by their vendors, though some still received updates. The botnet, based on the notorious Mirai malware, hijacked Linux-based IoT devices such as webcams, DVRs, IP cameras, and routers.

‍

To build the botnet, Flax Typhoon exploited 66 known vulnerabilities, 11 of which continue to be actively scanned by malicious actors. Key vulnerabilities exploited by the group include:

• A recent ServiceNow vulnerability (CVE-2024-5217), exploited last July by multiple threat actors for information theft.
• The widely used Log4j vulnerability (CVE-2021-44228) which recently experienced a resurgence in exploitation. 
• The infamous ApacheMQ vulnerability (CVE-2023-46604), exploited by Kinsing for crypto jacking or by TellYouThePass and Ransomhub for ransomware deployment.
• Ivanti Sentry and Endpoint Manager vulnerabilities (CVE-2023-38035, CVE-2023-35081) exploited in late 2023 during the wave of Ivanti zero-day attacks.
• The notorious Citrix Netscaler vulnerability (CVE-2023-3519), widely exploited by major ransomware groups such as INC Ransom or RansomHub. 
• A flaw in Zyxel devices (CVE-2023-28771) that was exploited in May 2023, as part of the devastative GRU-affiliated Sandworm group against 22 Danish energy firms. 
• A flaw in F5 BIG-IP (CVE-2022-1388), recently exploited by the Iranian actor Lemon Sandstorm.

Zafran’s customers are able to monitor their networks’ exposure to the risk posed by Flax Typhoon, as to spot and mitigate particularly serious vulnerabilities found in their systems. Moreover, they could alleviate their compensatory security controls in order to proactively tackle the Tactics and Techniques used by the Chinese actor.

‍