Cautionary Messages by Cybersecurity Agencies Regarding APT40’s Swift Adaptation to Exploits
A collaborative message has been issued by cybersecurity organizations in Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. regarding APT40, an infamous cyber espionage group tied to China, cautioning about its remarkable capability to employ newly disclosed security vulnerabilities almost immediately after they become public.
The joint statement disclosed that “APT 40 has previously aimed at various organizations worldwide, including in Australia and the United States. Particularly noteworthy is APT 40’s agility in converting and utilizing proof-of-concept (PoCs) for vulnerabilities for the purpose of targeting, reconnaissance, and exploitation operations.”
This group, also known by aliases such as Bronze Mohawk, Gingham Typhoon (previously Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, has been operational since at least 2013, carrying out cyber assaults on entities in the Asia-Pacific area. It is believed to operate from Haikou.
Back in July 2021, the U.S. and its allies publicly assigned responsibility to this group as linked to China’s Ministry of State Security (MSS), indicting multiple members of the hacking gang for orchestrating a prolonged campaign aimed at various sectors in order to steal trade secrets, intellectual property, and significant data.
Recent years have seen APT40 engaged in intrusion campaigns that employed the ScanBox reconnaissance framework and exploited a security vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8) as part of a phishing drive targeting Papua New Guinea to distribute a backdoor known as BOXRAT.
Additionally, in March of this year, the New Zealand government implicated the threat actor in the breach of the Parliamentary Counsel Office and the Parliamentary Service in 2021.
“APT40 actively looks for new vulnerabilities within commonly used public software like Log4j, Atlassian Confluence, and Microsoft Exchange to strike at vulnerable systems,” highlighted the agencies involved in crafting the statement.
“APT40 routinely performs reconnaissance on networks of interest, which include networks in the countries of the issuing agencies, with the aim of identifying vulnerable, out-of-date, or no longer supported devices on networks of interest, and quickly leveraging exploits for exploitation.”
Of particular interest in the tactics used by this state-linked hacking group is the usage of web shells for establishing persistence and maintaining access within the victim’s environment, along with the utilization of Australian websites for command-and-control (C2) operations.
There have been instances where outdated or unpatched devices, including small-office/home-office (SOHO) routers, were incorporated into its attack infrastructure to redirect malicious traffic and avoid detection, adopting an operational model similar to that observed in other groups based in China such as Volt Typhoon.
These attack sequences entail executing reconnaissance, escalating privileges, and moving laterally using the remote desktop protocol (RDP) to capture credentials and siphon off critical information.
To mitigate the risks posed by such threats, it is recommended to enforce thorough logging measures, enable multi-factor authentication (MFA), establish a robust system for patch management, replace outdated equipment, deactivate unused services, ports, and protocols, and segment networks to prevent unauthorized access to sensitive data.
About Author
