In a joint advisory, international cybersecurity agencies and law enforcement bodies have sounded the alarm on the Chinese state-sponsored hacking group APT40. This group, also known by aliases such as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk, has been a persistent cyber threat since at least 2011, targeting governmental and key private entities in the US and Australia. APT40’s tactics include hijacking Small Office/Home Office (SOHO) routers to conduct cyberespionage attacks.
Attack Vectors and Methods
APT40, noted for its agility and adaptability, exploits vulnerabilities in public-facing infrastructure and edge networking devices rather than relying on human interaction through phishing or social engineering. They are known for their rapid exploitation of newly disclosed vulnerabilities, with notable examples being flaws in Log4J, Atlassian Confluence, and Microsoft Exchange.
The group is adept at converting proof-of-concept exploits for new vulnerabilities into operational tools, which are then used to compromise networks. This capability is highlighted in the joint advisory authored by Australia’s Australian Cyber Security Centre (ACSC), which states, “APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability.”
Once APT40 breaches a server or networking device, they typically deploy web shells to maintain persistence using Secure Socket Funnelling. They leverage valid credentials obtained through techniques like Kerberoasting and use Remote Desktop Protocol (RDP) for lateral movement within the network.
Hijacking SOHO Routers
A critical aspect of APT40’s operations involves breaching end-of-life SOHO routers using N-day vulnerabilities. These hijacked routers then serve as operational infrastructure, acting as network proxies to launch attacks. This method allows the hackers to blend their malicious activities with legitimate traffic originating from the compromised routers.
Other Chinese APT groups also use operational relay box (ORB) networks composed of hijacked end-of-life routers and IoT devices. These proxy networks are managed by independent cybercriminals who provide access to multiple state-sponsored actors, facilitating the proxying of malicious traffic.
In the final stages of their attacks, APT40 accesses SMB shares and exfiltrates data to command and control (C2) servers. To maintain a stealthy presence, they remove event logs and deploy software designed to evade detection on the compromised network.
Case Studies Highlighting APT40’s Methods
The advisory includes two case studies from 2022 that exemplify APT40’s tactics and procedures.
Case Study 1 (July to September 2022):
APT40 exploited a custom web application to gain a foothold in an Australian organization’s network. Using web shells, they conducted network reconnaissance, accessed the Active Directory, and exfiltrated sensitive data, including privileged credentials.
Case Study 2 (April to May 2022):
In this incident, APT40 compromised an organization by exploiting remote code execution (RCE) flaws on a remote access login portal. They deployed web shells, captured hundreds of username-password pairs, multi-factor authentication (MFA) codes, and JSON Web Tokens (JWTs), eventually escalating their privileges to access an internal SQL server.
Recommendations for Mitigating APT40 Attacks
The advisory offers several recommendations to mitigate and defend against APT40 and similar state-sponsored cyber threats. Key defensive measures include:
- Timely Patch Application: Regularly apply patches to address known vulnerabilities.
- Comprehensive Logging: Maintain detailed logs to track potential breaches and suspicious activities.
- Network Segmentation: Segment networks to limit the lateral movement of attackers.
- Disable Unused Ports and Services: Reduce attack surfaces by disabling unnecessary ports and services.
- Web Application Firewalls (WAFs): Deploy WAFs to protect web applications from common threats.
- Enforce the Principle of Least Privilege: Ensure that users and services operate with the minimum necessary privileges.
- Multi-Factor Authentication (MFA): Use MFA for all remote access services to add an extra layer of security.
- Replace End-of-Life (EoL) Equipment: Prioritize replacing EoL edge networking gear, as these devices often lack security patches and are prime targets for attackers.
Conclusion
APT40 represents a significant cyber threat, employing sophisticated methods to exploit vulnerabilities and hijack SOHO routers for their cyber espionage activities. By understanding their tactics and implementing recommended defensive measures, organizations can better protect themselves against these persistent and adaptive threat actors. Regular updates, comprehensive security practices, and proactive measures are essential to safeguard against the ever-evolving landscape of state-sponsored cyber threats.
Discover more from Open Security Labs
Subscribe to get the latest posts sent to your email.
