Dark swirling storm clouds with digital network overlay representing Silk Typhoon attacks across multicloud environments.

Silk Typhoon (Murky Panda) Exploits Zero-Day Flaws to Pivot Across the Cloud

by

RedSecNinja
in

IntroIntroduction
Silk Typhoon, also known as Murky Panda, is a Chinese state-linked espionage group that has been targeting North American government agencies, technology firms and other organizations. CrowdStrike and Cybersecurity Dive reported that this threat actor recently exploited multiple zero‑day flaws in Citrix NetScaler and Commvault products to gain access to the cloud environments of software‑as‑a‑service (SaaS) providers【784466735155778†L75-L92】.

Exploiting Zero‑Day Flaws to Breach the Cloud

  • Silk Typhoon used flaws such as CVE‑2023‑3519 in Citrix NetScaler ADC/Gateway and CVE‑2025‑3928 in Commvault devices to break into providers and pivot into customer environments【784466735155778†L89-L97】.
  • The attackers also exploited other internet‑facing appliances and compromised small‑office and home‑office routers to gain initial access【784466735155778†L85-L87】.
  • Once inside, they abused “trusted” relationships in cloud platforms. CrowdStrike observed the group abusing Entra ID service principals and delegated access permissions to move downstream into customer environments【784466735155778†L95-L103】.

Trusted‑Relationship Abuse and Supply‑Chain Risks
Unlike many APTs, Silk Typhoon goes deep into the cloud. By gaining the application registration secret for a SaaS provider’s Entra ID integration, the attackers could access downstream customers without being detected【784466735155778†L100-L107】. In another case, they compromised a Microsoft cloud solutions provider and used its delegated administrative privileges to access a customer’s environment【784466735155778†L103-L108】.

Defending Against Murky Panda
Organizations using cloud and SaaS services should:

  • Patch quickly: Apply available updates for Citrix NetScaler, Commvault and other critical edge devices【784466735155778†L89-L97】.
  • Limit cloud privileges: Review and restrict the use of delegated admin privileges in Entra ID and other identity providers【784466735155778†L95-L103】.
  • Monitor service principals: Audit application registrations and monitor usage of service principal credentials to detect abuse【784466735155778†L100-L107】.
  • Secure routers and appliances: Harden and monitor small‑office routers and internet‑facing appliances that can provide initial access【784466735155778†L85-L87】.

Conclusion
Silk Typhoon’s ability to exploit zero‑day flaws, abuse cloud trust relationships and pivot across multi‑cloud environments highlights the growing risks posed by state‑linked threat actors. By patching devices, restricting delegated privileges and monitoring identity infrastructure, organizations can disrupt these attack chains and make it harder for Murky Panda to slip through the cracks.

Sources
[1] Cybersecurity Dive report on Silk Typhoon’s zero‑day attacks【784466735155778†L75-L97】.
[2] CrowdStrike commentary on trusted‑relationship abuse and Entra ID exploitation【784466735155778†L95-L103】.duction
Silk Typhoon, also known as Murky Panda, is a Chinese state-linked espionage group that has been targeting North American government agencies, technology firms and other organizations. CrowdStrike and Cybersecurity Dive reported that this threat actor recently exploited multiple zero‑day flaws in Citrix NetScaler and Commvault products to gain access to the cloud environments of software‑as‑a‑service (SaaS) providers【784466735155778†L75-L92】.

Exploiting Zero‑Day Flaws to Breach the Cloud

  • Silk Typhoon used flaws such as CVE‑2023‑3519 in Citrix NetScaler ADC/Gateway and CVE‑2025‑3928 in Commvault devices to break into providers and pivot into customer environments【784466735155778†L89-L97】.
  • The attackers also exploited other internet‑facing appliances and compromised small‑office and home‑office routers to gain initial access【784466735155778†L85-L87】.
  • Once inside, they abused “trusted” relationships in cloud platforms. CrowdStrike observed the group abusing Entra ID service principals and delegated access permissions to move downstream into customer environments【784466735155778†L95-L103】.

Trusted‑Relationship Abuse and Supply‑Chain Risks
Unlike many APTs, Silk Typhoon goes deep into the cloud. By gaining the application registration secret for a SaaS provider’s Entra ID integration, the attackers could access downstream customers without being detected【784466735155778†L100-L107】. In another case, they compromised a Microsoft cloud solutions provider and used its delegated administrative privileges to access a customer’s environment【784466735155778†L103-L108】.

Defending Against Murky Panda
Organizations using cloud and SaaS services should:

  • Patch quickly: Apply available updates for Citrix NetScaler, Commvault and other critical edge devices【784466735155778†L89-L97】.
  • Limit cloud privileges: Review and restrict the use of delegated admin privileges in Entra ID and other identity providers【784466735155778†L95-L103】.
  • Monitor service principals: Audit application registrations and monitor usage of service principal credentials to detect abuse【784466735155778†L100-L107】.
  • Secure routers and appliances: Harden and monitor small‑office routers and internet‑facing appliances that can provide initial access【784466735155778†L85-L87】.

Conclusion
Silk Typhoon’s ability to exploit zero‑day flaws, abuse cloud trust relationships and pivot across multi‑cloud environments highlights the growing risks posed by state‑linked threat actors. By patching devices, restricting delegated privileges and monitoring identity infrastructure, organizations can disrupt these attack chains and make it harder for Murky Panda to slip through the cracks.

Sources
[1] Cybersecurity Dive report on Silk Typhoon’s zero‑day attacks【784466735155778†L75-L97】.
[2] CrowdStrike commentary on trusted‑relationship abuse and Entra ID exploitation【784466735155778†L95-L103】.

Comments

Leave a comment