Chinese APT40 group swifly leverages public PoC exploits
Chinese state-sponsored cyber group APT40 is amazingly fast at adapting public proof-of-concept (PoC) exploits for vulnerabilities in widely used software, an advisory released by intelligence and cybersecurity agencies from eight countries warns.
The group, which is also known as Kryptonite Panda and Gingham Typhoon and is believed to be sponsored by the China’s Ministry of State Security, is expected to continue with this modus operandi, “using POCs for new high-profile vulnerabilities within hours or days of public release.”
How APT40 compromises organizations
APT 40 “appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns,” and has been known to exploit vulnerabilities in software such as Log4J, Atlassian Confluence and Microsoft Exchange.
APT40 activity flowchart (Source: CISA)
They regularly:
- Use web shells to secure persistence on target networks (and use web services, web and mail protocols to interact with them)
- Use system commands for reconnaissance and a variety of methods to compromise valid credentials
- Use remote services – including RDP and SMB/Windows Shares – for lateral movement
- Impair targets’ defenses, masking their activities, and removing indicators of compromise
“As persistence occurs early in an intrusion, it is more likely to be observed in all intrusions—regardless of the extent of compromise or further actions taken,” the agencies pointed out.
Advice for enterprise defenders
The security advisory includes two anonymized investigative reports by the Australian Signals Directorate’s Australian Cyber Security Centre, whose security experts helped investigate two of APT40’s successful intrusions.
The reports point out the various tools, tactics and techniques employed by the cyberespionage-focused threat actor, including a predilection for compromising credentials for privileged accounts, and a penchant for using end-of-life (EOL) or unpatched small-office/home-office (SOHO) devices as a launching point for attacks.
(Mandiant’s threat analysts have previously noted China-sponsored APTs’ increased use of proxy networks made of virtual private servers and compromised routers and Internet of Things devices to evade detection and complicate attribution.)
The advisory includes mitigation advice for foiling and limiting the scope of these and other attacks, and it includes:
- Comprehensive logging (to help with detection and investigation)
- Prompt patching of vulnerabilities in internet-facing infrastructure
- Network segmentation
- Disabling of unused or unnecessary network services, ports and protocols
- Use of multi-factor authentication (MFA) and enforcing of least privilege to limit access to servers, file shares, and other resources
- Replacing EOL equipment
- Use of well-tuned web application firewalls (WAFs) to protect webservers and applications
There’s also a few Sigma rules organizations can use to detect possible indicators of compromise.
“[APT40] has previously targeted organizations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally,” the agencies noted.