Tuesday, May 6, 2025
HomeCVE/vulnerabilityChinese APT40 Is Ready To Exploit New Vulnerabilities Within Hours Of Release

Chinese APT40 Is Ready To Exploit New Vulnerabilities Within Hours Of Release

Published on

SIEM as a Service

Follow Us on Google News

Multiple international cybersecurity agencies jointly warn of a PRC state-sponsored cyber group, linked to the Ministry of State Security and known by various names like  APT40, Leviathan. 

The group, based in Hainan Province, has targeted organizations globally, including in Australia and the US. 

The Australian authorities recently released an advisory that provides case studies of their techniques, offering cybersecurity practitioners insights to identify, prevent, and remediate intrusions by this threat actor.

- Advertisement - Google News

Chinese APT40 Is Ready To Exploit

APT40, though a persistent concern for Australian and other regional networks, adapts quickly to take advantage of fresh vulnerabilities.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

They perform regular reconnaissance missions to identify weak infrastructural spots and prioritize the theft of credentials.

Having compromised websites in the past, the group shifted its focus to SOHO devices and is now using them as operational infrastructure and last-hop redirectors.

Like certain PRC-backed state actors, APT40’s adoption of this strategy enables it to pass off as actual traffic while encountering network defenders.

The investigation was triggered by the Australian Signals Directorate’s ACSC as a result of a network compromise by APT40 between July and September 2022.

The group abused a custom web application, which led to multiple access vectors and horizontal movement inside the network.

There was host enumeration, web shell usage, and sensitive data exfiltration including privileged credentials.

Through investigations, it has been established that there was deliberate targeting of a state-sponsored actor which underscores the need for proper network security measures as well as logging configurations.

Here’s the timeline:-

Timeline (Source – Gov.au)

The MITRE ATT&CK framework documents the cyber threat tactics. In April 2022, APT40 most likely breached an organization’s network by using a vulnerable remote access portal.

Web shells were planted to execute credential theft and potentially gain unauthorized access to internal systems.

The major tricks that they used involved public-facing apps’ exploitation, web shells deployment, login data capture, and lateral movement trials.

Australian Cyber Security Centre, established under the jurisdiction of the Australian Signals Directorate investigated and provided recommendations for remediation.

Mitigations

Here below we have mentioned all the mitigations:-

  • Maintaining proper logging history
  • Patch management
  • Network segmentation
  • Disable unnecessary network services and ports
  • Implement web application firewalls (WAFs)
  • Enforce least privilege access
  • Use multi-factor authentication (MFA) for all remote access
  • Replace outdated equipment
  • Review and secure custom applications

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...