Cybersecurity Agencies Warn of China-linked APT40’s Rapid Exploit Adaptation

Avatar
Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have released a joint advisory about a China-linked cyber espionage group called APT40, warning about its ability to co-opt exploits for newly disclosed security flaws within hours or days of public release. “APT 40 has previously targeted organizations in various countries, including

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have released a joint advisory about a China-linked cyber espionage group called APT40, warning about its ability to co-opt exploits for newly disclosed security flaws within hours or days of public release.

“APT 40 has previously targeted organizations in various countries, including Australia and the United States,” the agencies said. “Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs-of-concept (PoCs) for targeting, reconnaissance, and exploitation operations.”

The adversarial collective, also known as Bronze Mohawk, Gingham Typhoon (formerly Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, is known to be active since at least 2013, carrying out cyber attacks targeting entities in the Asia-Pacific region. It’s assessed to be based in Haikou.

In July 2021, the U.S. and its allies officially attributed the group as affiliated with China’s Ministry of State Security (MSS), indicting several members of the hacking crew for orchestrating a multi-year campaign aimed at different sectors to facilitate the theft of trade secrets, intellectual property, and high-value information.

Over the past few years, APT40 has been linked to intrusion waves delivering the ScanBox reconnaissance framework as well as the exploitation of a security flaw in WinRAR (CVE-2023-38831, CVSS score: 7.8) as part of a phishing campaign targeting Papua New Guinea to deliver a backdoor dubbed BOXRAT.

Then earlier this March, the New Zealand government implicated the threat actor to the compromise of the Parliamentary Counsel Office and the Parliamentary Service in 2021.

“APT40 identifies new exploits within widely used public software such as Log4j, Atlassian Confluence, and Microsoft Exchange to target the infrastructure of the associated vulnerability,” the authoring agencies said.

“APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits.”

Notable among the tradecraft employed by the state-sponsored hacking crew is the deployment of web shells to establish persistence and maintain access to the victim’s environment, as well as its use of Australian websites for command-and-control (C2) purposes.

It has also been observed incorporating out-of-date or unpatched devices, including small-office/home-office (SOHO) routers, as part of its attack infrastructure in an attempt to reroute malicious traffic and evade detection, an operational style that is akin to that used by other China-based groups like Volt Typhoon.

Attack chains further involve carrying out reconnaissance, privilege escalation, and lateral movement activities using the remote desktop protocol (RDP) to steal credentials and exfiltrate information of interest.

To mitigate the risks posed by such threats, it’s recommended to implement adequate logging mechanisms, enforce multi-factor authentication (MFA), implement a robust patch management system, replace end-of-life equipment, disable unused services, ports, and protocols, and segment networks to prevent access to sensitive data.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories

Next Post

Hackers Exploiting Jenkins Script Console for Cryptocurrency Mining Attacks

Related Posts

FTC proposes tougher children’s data privacy rules for first time in a decade

The Federal Trade Commission (FTC) is proposing new restrictions on the use and disclosure of children’s personal data and wants to make it much harder for companies to exclude children from their services if they can’t monetize their data, the agency announced Wednesday.
Jason Macuray
Read More

Rockwell Advises Disconnecting Internet-Facing ICS Devices Amid Cyber Threats

Rockwell Automation is urging its customers to disconnect all industrial control systems (ICSs) not meant to be connected to the public-facing internet to mitigate unauthorized or malicious cyber activity. The company said it's issuing the advisory due to "heightened geopolitical tensions and adversarial cyber activity globally." To that end, customers are required to take immediate
Avatar
Read More