Agencies in the U.S., Australia and a number of other countries are warning of the ongoing threat posed by the PRC state-sponsored group known as APT40, which they said has repeatedly targeted Australian networks and government agencies, as well as private sector organizations globally.
Tuesday’s joint advisory by the U.S., Australia, UK, Canada and New Zealand outlined how starting in 2017 the APT group has steadily been finding more success in quickly exploiting newly public flaws in popular software, including ones in Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207 and CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523 and CVE-2021-34473). Many times, the threat actors jump on these flaws days or even hours within public release, the advisory warned.
“Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability,” according to the advisory. “APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits.”
APT40, which has been around since 2009, is known for previously hacking organizations and government entities in the U.S. and beyond in order to steal IP, trade secrets and other sensitive data, and in 2021 the U.S. indicted four members of the hacking group.
In their advisory, the various agencies broke down campaigns by the group in April and August 2022 against two unnamed organizations, which the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) investigated. After initial access via exploitation of flaws in internet-facing applications, the group would deploy webshells, use remote services (like the RDP and SMB protocols) for lateral movement, and leverage various system commands to discover system information, accounts, and credentials.
APT40 previously used compromised Australian websites for command-and-control hosts in its operations, but it has recently relied on compromised small-office/home-office (SOHO) devices for its operational infrastructure in Australia. The advisory said that many of the compromised devices are end-of-life or unpatched, and create a valuable way for attackers to blend in with legitimate traffic to skirt by network defenders.
Chinese threat activity has been under scrutiny over the past year, especially after the U.S. government earlier this year highlighted the compromise of hundreds of SOHO routers by the Chinese attack group known as Volt Typhoon, which then used its access to those devices to facilitate access to critical infrastructure networks in various sectors, such as water and power.
The advisory recommended a number of measures that organizations can take to defend against APT40’s activities, including staying up to date on patching internet exposed devices and services, as most exploits used by the actors were publicly known and had patches available. Organizations should also ensure they have a network segmentation strategy in their environments in order to block lateral movement, and utilize logging and monitoring processes.
“During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs,” according to the advisory.