Cyber security news for all

More

    Cybersecurity Agencies Alert on APT40’s Swift Exploit Adaptation Linked to China

    Cybersecurity agencies spanning Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have jointly issued a warning about APT40, a cyber espionage group affiliated with China. They highlight APT40’s capability to swiftly repurpose exploits for newly disclosed security vulnerabilities mere hours or days after their public disclosure.

    “APT40 has previously targeted various organizations across countries like Australia and the United States,” noted the agencies. “Significantly, APT40 demonstrates agility in transforming and utilizing proof-of-concepts (PoCs) for targeting, reconnaissance, and exploitation operations.”

    Also recognized as Bronze Mohawk, Gingham Typhoon (formerly Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, APT40 has been active since at least 2013, focusing cyber attacks on entities within the Asia-Pacific region and operating from Haikou.

    In July 2021, the U.S. and its allies officially attributed APT40 to China’s Ministry of State Security (MSS), indicting several members for orchestrating a prolonged campaign aimed at various sectors to steal trade secrets, intellectual property, and valuable information.

    APT40 has been linked to multiple intrusion incidents over recent years, including deploying the ScanBox reconnaissance framework and exploiting security vulnerabilities such as the WinRAR flaw (CVE-2023-38831, CVSS score: 7.8) in a phishing campaign aimed at Papua New Guinea, distributing the BOXRAT backdoor.

    Earlier in March, the New Zealand government implicated APT40 in the compromise of the Parliamentary Counsel Office and Parliamentary Service in 2021.

    “APT40 identifies new exploits within widely-used public software like Log4j, Atlassian Confluence, and Microsoft Exchange to target vulnerabilities associated with the infrastructure,” stated the agencies.

    The group regularly conducts reconnaissance on networks of interest, including those in the countries of the issuing agencies, searching for opportunities to compromise targets. This reconnaissance strategy enables APT40 to identify vulnerable or outdated devices and swiftly deploy exploits.

    APT40’s tactics include deploying web shells for persistence and using Australian websites for command-and-control (C2) operations. The group also utilizes out-of-date or unpatched devices, including SOHO routers, to redirect malicious traffic and evade detection, mirroring operational approaches used by other China-linked groups like Volt Typhoon.

    According to Mandiant, this reflects a broader shift in Chinese cyber espionage, focusing on stealth by weaponizing network edge devices, operational relay box (ORB) networks, and living-off-the-land (LotL) techniques to avoid detection.

    Attack strategies involve reconnaissance, privilege escalation, and lateral movement via remote desktop protocol (RDP) to steal credentials and extract targeted information.

    To mitigate these threats, organizations are advised to maintain comprehensive logging, enforce multi-factor authentication (MFA), implement robust patch management systems, replace end-of-life equipment, disable unused services, ports, and protocols, and segment networks to safeguard sensitive data.

    Recent Articles

    Related Stories