Governments issue warning on China's APT40 attacks

The Chinese state-sponsored threat group known as APT40 is targeting Australian government and private sector networks, a joint agency advisory warned on Monday.

The Australian Cyber Security Centre (ACSC) led the release of an APT40 advisory co-authored by CISA, the FBI, the National Security Agency, the U.K.'s National Cyber Security Centre and several other agencies in Germany, New Zealand, Japan and Korea. The advisory detailed APT40's ongoing threat to Australian networks and provided examples of intrusions.

While ongoing attacks from the Chinese advanced persistent threat (APT) group are targeting Australia-based organizations, the malicious activity is not new. The authoring agencies observed similar tactics, techniques and procedures (TTPs) from APT40 to target organizations in various countries, including the U.S., over the years.

The advisory warned that APT40 poses an ongoing threat to several countries. Threat actors have been observed exploiting known vulnerabilities as well as compromising small office/home office devices, a tactic used by other actors such as the Chinese nation-state threat group Volt Typhoon.

"Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability," CISA wrote in the advisory. "ASD's [Australian Signals Directorate] ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release."

The advisory warned that APT40 has successfully exploited vulnerabilities from as early as 2017 against targeted victims. For example, the threat group was observed exploiting Log4Shell, a critical zero-day vulnerability in the widely used Java framework Log4j; an Atlassian Confluence vulnerability tracked as CVE-2021-31207; and three Microsoft Exchange flaws commonly known as ProxyShell. Log4Shell, which was assigned CVE-2021-44228, was one of the most exploited flaws in 2021, but the threat continued for years as organizations remained unpatched.

The authoring agencies warned that APT40 "regularly conducts reconnaissance against networks of interest" and waits for an opportunity to arise.

"This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits," the advisory said.

The authoring agencies noted that APT40 prioritizes obtaining valid credentials and prefers to exploit vulnerabilities in public-facing systems rather than leveraging techniques that require user interaction, such as phishing campaigns. In addition to conducting reconnaissance, the threat group uses web shells to maintain persistence on victim environments.

While tracking the malicious activity, ACSC observed the threat group's techniques evolve over time. Initially, APT40 used compromised Australian websites as command and control hosts for its operations. Now, it has turned to compromised devices that contain vulnerabilities.

"APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group's movements," the advisory said.

The advisory warned that many SOHO devices involved in attacks are unpatched or have reached end-of-life status. Compromising such devices enables attackers to "blend in with legitimate traffic and challenge network defenders."