Global Cybersecurity Agencies Issue Joint Advisory on China-affiliated APT40’s Quick Exploit Adaptation

July 9, 2024

Eight global cybersecurity agencies have jointly warned about the rapid adaptability of a China-affiliated cyber espionage group, APT40. This group has demonstrated the ability to utilize exploits for newly disclosed security vulnerabilities within a short period after their public release.

"APT 40 has previously targeted organizations in various countries, including Australia and the United States," the agencies stated. They also noted the group's significant ability to quickly transform and apply vulnerability proofs-of-concept (PoCs) for targeting, reconnaissance, and exploitation operations.

APT40, also known by several other names such as Bronze Mohawk, Gingham Typhoon, and Kryptonite Panda, has been active since at least 2013. It has primarily targeted entities in the Asia-Pacific region and is believed to be based in Haikou. In July 2021, the U.S. and its allies officially linked the group to China's Ministry of State Security (MSS), indicting several members for orchestrating a multi-year campaign aimed at stealing trade secrets, intellectual property, and high-value information.

Over the past few years, APT40 has been associated with intrusion waves delivering the ScanBox reconnaissance framework. It also exploited a security flaw in WinRAR (CVE-2023-38831, CVSS score: 7.8) as part of a phishing campaign targeting Papua New Guinea to deliver a backdoor known as BOXRAT. In March 2022, the New Zealand government linked this threat actor to the compromise of the Parliamentary Counsel Office and the Parliamentary Service in 2021.

The agencies reported that APT40 identifies new exploits in widely used public software, such as Log4j, Atlassian Confluence, and Microsoft Exchange, to target the infrastructure of the associated vulnerability. They added, "APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies' countries, looking for opportunities to compromise its targets." This consistent reconnaissance allows the group to identify vulnerable, outdated, or unmaintained devices on networks of interest, and to rapidly deploy exploits.

The group's notable techniques include the deployment of web shells to establish persistence and maintain access to the victim's environment, as well as the use of Australian websites for command-and-control (C2) purposes. It has also been observed incorporating outdated or unpatched devices, including small-office/home-office (SOHO) routers, as part of its attack infrastructure in attempts to reroute malicious traffic and evade detection. This operational style is similar to that used by other China-based groups like Volt Typhoon.

The group's attack chains often involve carrying out reconnaissance, privilege escalation, and lateral movement activities using the remote desktop protocol (RDP) to steal credentials and exfiltrate information of interest. To mitigate such threats, it's recommended to implement adequate logging mechanisms, enforce multi-factor authentication (MFA), implement a robust patch management system, replace end-of-life equipment, disable unused services, ports, and protocols, and segment networks to prevent access to sensitive data.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.