Getty Images/iStockphoto
Governments issue warning on China's APT40 attacks
Government agencies say APT40 continues to pose significant risk to organizations across the globe by exploiting vulnerabilities in public-facing applications.
The Chinese state-sponsored threat group known as APT40 is targeting Australian government and private sector networks, a joint agency advisory warned on Monday.
The Australian Cyber Security Centre (ACSC) led the release of an APT40 advisory co-authored by CISA, the FBI, the National Security Agency, the U.K.'s National Cyber Security Centre and several other agencies in Germany, New Zealand, Japan and Korea. The advisory detailed APT40's ongoing threat to Australian networks and provided examples of intrusions.
While ongoing attacks from the Chinese advanced persistent threat (APT) group are targeting Australia-based organizations, the malicious activity is not new. The authoring agencies observed similar tactics, techniques and procedures (TTPs) from APT40 to target organizations in various countries, including the U.S., over the years.
The advisory warned that APT40 poses an ongoing threat to several countries. Threat actors have been observed exploiting known vulnerabilities as well as compromising small office/home office devices, a tactic used by other actors such as the Chinese nation-state threat group Volt Typhoon.
"Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability," CISA wrote in the advisory. "ASD's [Australian Signals Directorate] ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release."
The advisory warned that APT40 has successfully exploited vulnerabilities from as early as 2017 against targeted victims. For example, the threat group was observed exploiting Log4Shell, a critical zero-day vulnerability in the widely used Java framework Log4j; an Atlassian Confluence vulnerability tracked as CVE-2021-31207; and three Microsoft Exchange flaws commonly known as ProxyShell. Log4Shell, which was assigned CVE-2021-44228, was one of the most exploited flaws in 2021, but the threat continued for years as organizations remained unpatched.
The authoring agencies warned that APT40 "regularly conducts reconnaissance against networks of interest" and waits for an opportunity to arise.
"This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits," the advisory said.
The authoring agencies noted that APT40 prioritizes obtaining valid credentials and prefers to exploit vulnerabilities in public-facing systems rather than leveraging techniques that require user interaction, such as phishing campaigns. In addition to conducting reconnaissance, the threat group uses web shells to maintain persistence on victim environments.
While tracking the malicious activity, ACSC observed the threat group's techniques evolve over time. Initially, APT40 used compromised Australian websites as command and control hosts for its operations. Now, it has turned to compromised devices that contain vulnerabilities.
"APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group's movements," the advisory said.
The advisory warned that many SOHO devices involved in attacks are unpatched or have reached end-of-life status. Compromising such devices enables attackers to "blend in with legitimate traffic and challenge network defenders."
Case studies
In addition to APT40's TTPs, the advisory provided two case study examples. During mid-August 2022, ACSC was engaged in incident response for an unnamed organization in an attack that was attributed to APT40.
ACSC discovered that the threat group exfiltrated data that included privileged authentication credentials, as well as network information the actors could have used to regain unauthorized access if the original access vector was blocked. The threat group built its own map of the network and used the credentials to move laterally throughout the victim's environment. ACSC stressed that APT40 specifically targeted the victim organization.
"In mid-August 2022, the ASD's ACSC notified the organization that a confirmed malicious IP believed to be affiliated with a state-sponsored cyber group had interacted with the organization's computer networks between at least July and August. The compromised device probably belonged to a small business or home user," the advisory said.
The second case study examined an attack that occurred between April and May 2022. Like the advisory warned, APT40 targeted a public-facing application and used a web shell to maintain persistence. ACSC warned that the threat group likely exploited remote code execution, privilege escalation and authentication bypass vulnerabilities to gain initial access to the victim's network. During the intrusion, the attacker also captured MFA tokens and used them to impersonate authorized users.
The authoring agencies urged enterprises to implement effective logging, patch management and MFA protocols, as well as network segmentation.
"Most exploits utilized by the actor were publicly known and had patches or mitigations available," the advisory said. "Organizations should ensure that security patches or mitigations are applied to internet facing infrastructure within 48 hours, and where possible, use the latest versions of software and operating systems."
In 2021, the Department of Justice unsealed an indictment against alleged members of APT40. The four members were accused of targeting victims worldwide in a variety of sectors, including aviation, government and healthcare, for financial gains.
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.