Cyber security agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the UK and the US have issued joint guidance on a China-linked cyber espionage group called APT40warning of its ability to co-opt exploits for newly discovered security flaws within hours or days of public release.
“APT 40 has previously been targeted at organizations in various countries, including Australia and the United States,” the agencies noted. said. “Notably, APT 40 has the ability to rapidly transform and adapt proof-of-concept (PoC) vulnerabilities for targeting, reconnaissance and exploitation.”
The controversial collective, also known as Bronze Mohawk, Gingham Typhoon (formerly Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423 and TEMP.Periscope, is known to have been active since at least 2013, carrying out cyber attacks against facilities. in the Asia-Pacific region. It is believed to be in Haikou.
In July 2021, the US and its allies officially attributed group linked to China’s Ministry of State Security (MSS), accusing several members of the hacking group of orchestrating a multi-year campaign targeting various sectors to facilitate the theft of trade secrets, intellectual property and sensitive information.
Over the past few years, APT40 has been associated with waves of intrusions that deliver ScanBox intelligence framework as well as exploiting a security flaw in the WinRAR (CVE-2023-38831, CVSS Score: 7.8) in a phishing campaign targeting Papua New Guinea to deliver a backdoor called BOXRAT.
Then in March of this year, the New Zealand government involved threat actor for Parliamentary Board and Parliamentary Service compromise in 2021.
“APT40 identifies new exploits within widely used open source software such as Log4j, Atlassian Confluence, and Microsoft Exchange to target the infrastructure of the associated vulnerability,” the authoring agencies said.
“APT40 regularly conducts reconnaissance against networks of interest, including networks in author agency countries, looking for opportunities to compromise its targets. This regular reconnaissance forces the group to identify vulnerable, obsolete or no longer maintained devices in networks of interest and rapid deployment of exploits.”
Prominent among the tricks used by the state-sponsored hacking group are the deployment of web shells to secure and maintain access to the victim’s environment, and the use of Australian websites for command and control purposes (C2).
It has also been seen to include outdated or unpatched devices, including small office/home office (SOHO) routers, as part of the attack infrastructure in an attempt to redirect malicious traffic and avoid detection. operative style it is similar to that used by other groups based in China, for example Volt Typhoon.
Attack chains also include reconnaissance, privilege escalation, and lateral movement using Remote Desktop Protocol (RDP) to steal credentials and steal information of interest.
To mitigate the risks associated with such threats, it is recommended to implement appropriate logging mechanisms, perform multi-factor authentication (MFA), implement a robust patch management system, replace obsolete hardware, disable unused services, ports and protocols, and segment networks to prevent access to confidential data.
