A collaborative advisory has been issued by cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. regarding the cyber espionage group known as APT40, which has ties to China. The advisory warns about APT40’s ability to quickly exploit newly revealed security vulnerabilities shortly after they become public knowledge.

The authorities noted that APT40 has previously targeted organizations in various countries, including Australia and the United States. “Notably, APT40 has the capacity to rapidly modify and adapt vulnerability proofs-of-concept (PoCs) for the purposes of targeting, intelligence gathering, and conducting exploitative operations.”

The hostile group, known by many aliases such as Bronze Mohawk, Gingham Typhoon (formerly Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, has been actively conducting cyber attacks against entities in the Asia-Pacific region since at least 2013. It is believed to be based in Haikou.

You might be interested in: Managed Detection and Response (MDR): What is it?

In July 2021, the United States and its allies formally identified the group as being associated with China’s Ministry of State Security (MSS). They charged multiple members of the hacking group with orchestrating a long-term operation targeting various sectors with the intention of stealing trade secrets, intellectual property, and valuable information.

APT40 has been linked to a series of cyber attacks in recent years. These attacks involved the use of the ScanBox reconnaissance framework and the exploitation of a security vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8). The objective of these attacks was to carry out a phishing campaign targeting Papua New Guinea, with the aim of delivering a backdoor known as BOXRAT.

In March of this year, the New Zealand government identified the individual or group responsible for the 2021 breach of the Parliamentary Counsel Office and the Parliamentary Service.

The writing agency reported that APT40 discovers novel vulnerabilities in widely used public software, such as Log4j, Atlassian Confluence, and Microsoft Exchange, to exploit the associated infrastructure.

“APT40 consistently engages in surveillance of networks deemed significant, including those within the countries of the agencies responsible for creating content, with the intention of identifying vulnerabilities to exploit its intended targets.” This routine surveillance allows the team to detect susceptible, obsolete, or unsupported devices on targeted networks and promptly launch attacks.

The state-sponsored hacking group is known for using web shells to maintain persistence and retain access to the victim’s environment. Additionally, they utilize Australian websites for command-and-control (C2) purposes.

Furthermore, it has been noted that this group incorporates outdated or unpatched devices, such as small-office/home-office (SOHO) routers, into its attack infrastructure. This is done with the intention of redirecting malicious traffic and avoiding detection, employing a similar operational approach to other China-based groups like Volt Typhoon.

Google-owned Mandiant has reported that cyber espionage activity originating from China is undergoing a broader transition. The goal is to prioritize stealth by increasingly weaponizing network edge devices, operational relay box (ORB) networks, and living-off-the-land (LotL) techniques to avoid detection.

Attack chains also encompass conducting reconnaissance, privilege escalation, and lateral movement operations by utilizing the remote desktop protocol (RDP) to steal credentials and extract specific information.

To reduce the risks associated with these threats, organizations are advised to maintain sufficient logging mechanisms, enforce multi-factor authentication (MFA), establish a strong patch management system, replace outdated equipment, disable unused services, ports, and protocols, and segment networks to prevent unauthorized access to sensitive data.