Saturday, May 24, 2025
HomeCVE/vulnerabilityChinese APT40 Is Ready To Exploit New Vulnerabilities Within Hours Of Release

Chinese APT40 Is Ready To Exploit New Vulnerabilities Within Hours Of Release

Published on

SIEM as a Service

Follow Us on Google News

Multiple international cybersecurity agencies jointly warn of a PRC state-sponsored cyber group, linked to the Ministry of State Security and known by various names like  APT40, Leviathan. 

The group, based in Hainan Province, has targeted organizations globally, including in Australia and the US. 

The Australian authorities recently released an advisory that provides case studies of their techniques, offering cybersecurity practitioners insights to identify, prevent, and remediate intrusions by this threat actor.

- Advertisement - Google News

Chinese APT40 Is Ready To Exploit

APT40, though a persistent concern for Australian and other regional networks, adapts quickly to take advantage of fresh vulnerabilities.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

They perform regular reconnaissance missions to identify weak infrastructural spots and prioritize the theft of credentials.

Having compromised websites in the past, the group shifted its focus to SOHO devices and is now using them as operational infrastructure and last-hop redirectors.

Like certain PRC-backed state actors, APT40’s adoption of this strategy enables it to pass off as actual traffic while encountering network defenders.

The investigation was triggered by the Australian Signals Directorate’s ACSC as a result of a network compromise by APT40 between July and September 2022.

The group abused a custom web application, which led to multiple access vectors and horizontal movement inside the network.

There was host enumeration, web shell usage, and sensitive data exfiltration including privileged credentials.

Through investigations, it has been established that there was deliberate targeting of a state-sponsored actor which underscores the need for proper network security measures as well as logging configurations.

Here’s the timeline:-

Timeline (Source – Gov.au)

The MITRE ATT&CK framework documents the cyber threat tactics. In April 2022, APT40 most likely breached an organization’s network by using a vulnerable remote access portal.

Web shells were planted to execute credential theft and potentially gain unauthorized access to internal systems.

The major tricks that they used involved public-facing apps’ exploitation, web shells deployment, login data capture, and lateral movement trials.

Australian Cyber Security Centre, established under the jurisdiction of the Australian Signals Directorate investigated and provided recommendations for remediation.

Mitigations

Here below we have mentioned all the mitigations:-

  • Maintaining proper logging history
  • Patch management
  • Network segmentation
  • Disable unnecessary network services and ports
  • Implement web application firewalls (WAFs)
  • Enforce least privilege access
  • Use multi-factor authentication (MFA) for all remote access
  • Replace outdated equipment
  • Review and secure custom applications

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...