Want latest news insights in your inbox? Sign up for our weekly newsletters to get only what matters to your organization. Subscribe Now
Security researchers are warning about a surge in cyberattacks linked to the China-based threat actor Silk Typhoon (also known as Murky Panda), which has been actively targeting government agencies, technology firms, and SaaS providers across North America.
According to a new report from CrowdStrike, the group is exploiting zero-day vulnerabilities in Citrix and Commvault products to infiltrate cloud environments and pivot into downstream customer networks.
Exploiting Critical Flaws
Silk Typhoon has leveraged several high-risk vulnerabilities, including:
-
CVE-2023-3519 – affecting Citrix Netscaler ADC and Citrix Gateway
-
CVE-2025-3928 – affecting Commvault devices
The group has also compromised small-office and home-office routers and abused weaknesses in Microsoft Entra ID (formerly Azure AD) service principals and delegated access permissions to escalate intrusions.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, explained:
“What makes this group concerning is its ability to compromise trusted cloud and SaaS relationships to move downstream into customer environments. We’ve seen them turn identity infrastructure into a launchpad.”
Cloud-to-Customer Attacks
In one case, Silk Typhoon gained access to an application registration secret in Entra ID, which enabled them to compromise downstream customer environments.
In another incident, they breached a Microsoft cloud solutions provider and leveraged delegated administrative privileges to access customer systems.
Defensive Measures
CrowdStrike advises organizations to:
-
Patch vulnerabilities in Citrix, Commvault, and other internet-facing appliances
-
Harden cloud identity configurations to limit delegated permissions
-
Monitor for unusual activity across SaaS platforms and edge devices
The campaign underscores how advanced nation-state actors are increasingly focusing on cloud and SaaS ecosystems, exploiting trusted provider relationships to expand their reach and compromise critical infrastructure.
📬 Want to stay ahead of emerging cybersecurity challenges like this?
Subscribe to our newsletter for weekly insights, updates, and expert analysis.
