Multiple international cybersecurity agencies jointly warn of a PRC state-sponsored cyber group, linked to the Ministry of State Security and known by various names like APT40, Leviathan.
The group, based in Hainan Province, has targeted organizations globally, including in Australia and the US.
The Australian authorities recently released an advisory that provides case studies of their techniques, offering cybersecurity practitioners insights to identify, prevent, and remediate intrusions by this threat actor.
APT40, though a persistent concern for Australian and other regional networks, adapts quickly to take advantage of fresh vulnerabilities.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
They perform regular reconnaissance missions to identify weak infrastructural spots and prioritize the theft of credentials.
Having compromised websites in the past, the group shifted its focus to SOHO devices and is now using them as operational infrastructure and last-hop redirectors.
Like certain PRC-backed state actors, APT40’s adoption of this strategy enables it to pass off as actual traffic while encountering network defenders.
The investigation was triggered by the Australian Signals Directorate’s ACSC as a result of a network compromise by APT40 between July and September 2022.
The group abused a custom web application, which led to multiple access vectors and horizontal movement inside the network.
There was host enumeration, web shell usage, and sensitive data exfiltration including privileged credentials.
Through investigations, it has been established that there was deliberate targeting of a state-sponsored actor which underscores the need for proper network security measures as well as logging configurations.
Here’s the timeline:-
The MITRE ATT&CK framework documents the cyber threat tactics. In April 2022, APT40 most likely breached an organization’s network by using a vulnerable remote access portal.
Web shells were planted to execute credential theft and potentially gain unauthorized access to internal systems.
The major tricks that they used involved public-facing apps’ exploitation, web shells deployment, login data capture, and lateral movement trials.
Australian Cyber Security Centre, established under the jurisdiction of the Australian Signals Directorate investigated and provided recommendations for remediation.
Here below we have mentioned all the mitigations:-
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
In a new wave of cyberattacks, the Russia-aligned hacking group "RomCom" has been found exploiting…
Earth Estries, a Chinese APT group, has been actively targeting critical sectors like telecommunications and…
A critical security vulnerability has been discovered in the popular WordPress plugin Anti-Spam by CleanTalk, which…
SpyLoan apps, a type of PUP, are rapidly increasing, exploiting social engineering to deceive users…
CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond,…
A ransomware attack on Blue Yonder, a leading supply chain management software provider, has created…