Chinese APT40 Is Ready To Exploit New Vulnerabilities Within Hours Of Release

Multiple international cybersecurity agencies jointly warn of a PRC state-sponsored cyber group, linked to the Ministry of State Security and known by various names like  APT40, Leviathan. 

The group, based in Hainan Province, has targeted organizations globally, including in Australia and the US. 

The Australian authorities recently released an advisory that provides case studies of their techniques, offering cybersecurity practitioners insights to identify, prevent, and remediate intrusions by this threat actor.

Chinese APT40 Is Ready To Exploit

APT40, though a persistent concern for Australian and other regional networks, adapts quickly to take advantage of fresh vulnerabilities.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

They perform regular reconnaissance missions to identify weak infrastructural spots and prioritize the theft of credentials.

Having compromised websites in the past, the group shifted its focus to SOHO devices and is now using them as operational infrastructure and last-hop redirectors.

Like certain PRC-backed state actors, APT40’s adoption of this strategy enables it to pass off as actual traffic while encountering network defenders.

The investigation was triggered by the Australian Signals Directorate’s ACSC as a result of a network compromise by APT40 between July and September 2022.

The group abused a custom web application, which led to multiple access vectors and horizontal movement inside the network.

There was host enumeration, web shell usage, and sensitive data exfiltration including privileged credentials.

Through investigations, it has been established that there was deliberate targeting of a state-sponsored actor which underscores the need for proper network security measures as well as logging configurations.

Here’s the timeline:-

Timeline (Source – Gov.au)

The MITRE ATT&CK framework documents the cyber threat tactics. In April 2022, APT40 most likely breached an organization’s network by using a vulnerable remote access portal.

Web shells were planted to execute credential theft and potentially gain unauthorized access to internal systems.

The major tricks that they used involved public-facing apps’ exploitation, web shells deployment, login data capture, and lateral movement trials.

Australian Cyber Security Centre, established under the jurisdiction of the Australian Signals Directorate investigated and provided recommendations for remediation.

Mitigations

Here below we have mentioned all the mitigations:-

  • Maintaining proper logging history
  • Patch management
  • Network segmentation
  • Disable unnecessary network services and ports
  • Implement web application firewalls (WAFs)
  • Enforce least privilege access
  • Use multi-factor authentication (MFA) for all remote access
  • Replace outdated equipment
  • Review and secure custom applications

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

RomCom Hackers Exploits Windows & Firefox Zero-Day in Advanced Cyberattacks

In a new wave of cyberattacks, the Russia-aligned hacking group "RomCom" has been found exploiting…

4 hours ago

Chinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs

Earth Estries, a Chinese APT group, has been actively targeting critical sectors like telecommunications and…

6 hours ago

200,000 WordPress Sites Exposed to Cyber Attack, Following Plugin Vulnerability

A critical security vulnerability has been discovered in the popular WordPress plugin Anti-Spam by CleanTalk, which…

11 hours ago

Beware Of SpyLoan Apps Exploits Social Engineering To Steal User Data

SpyLoan apps, a type of PUP, are rapidly increasing, exploiting social engineering to deceive users…

13 hours ago

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond,…

13 hours ago

Blue Yonder Ransomware Attack Impacts Starbucks & Multiple Supermarkets

A ransomware attack on Blue Yonder, a leading supply chain management software provider, has created…

15 hours ago