The China-backed advanced persistent threat (APT) actor tracked as APT40 has been busy evolving its playbook and has recently been observed actively targeting new victims by exploiting vulnerabilities in small office and home office (SoHo) networking devices as a staging post for command and control (C2) activity during their attacks
This is according to an international alert issued by the Five Eyes allied cyber agencies from Australia, Canada, New Zealand, the UK and the US, as well as partner bodies from Germany, Japan and South Korea.
According to the Australian Cyber Security Centre (ACSC), which was the lead agency on the alert, APT40 has repeatedly targeted networks both in Australia and around the world by this method.
In two case studies published by the Australian authorities, APT40 used compromised SoHO devices as operational infrastructure and “last-hop” redirectors during its attacks, although one effect of doing so has been to make their activity somewhat easier to characterise and track.
The agencies described such SoHo networking devices as much easier targets for malicious actors than their large enterprise equivalents.
“Many of these SoHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation,” the Australians said. “Once compromised, SoHO devices offer a launching point for attacks to blend in with legitimate traffic and challenge network defenders.
“This technique is also regularly used by other PRC state-sponsored actors worldwide, and the authoring agencies consider this to be a shared threat.
“APT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations; however, this tradecraft appears to be in relative decline,” they added.
The ACSC shared details of one APT40 cyber attack to which it responded in August 2022, during which a malicious IP believed to be affiliated with the group interacted with the targeted organisation’s network over a two-month period using a device that likely belonged to a small business or home user. This attack was remediated before APT40 could do too much damage.
Mohammed Kazem, senior threat intelligence researcher at WithSecure, said: “There is no indication that the pace or impact of Chinese government/state-sponsored cyber operations has fallen… instead they have continued to hone and refine their tradecraft. They have shown themselves willing to retire methods and tools that no longer work in favour of new ones, but while their standard TTPs have proved effective, they have happily continued to use them.
“This advisory also highlights a shared and growing trend among PRC actors in recent years to target edge devices via exploitation and leverage compromised devices as part of their network infrastructure and activity. We believe these techniques are consciously employed by these actors to pursue stealthier operations that are more difficult to track and attribute, but also challenge conventional security mechanisms and oversight,” said Kazem.
Noteworthy threat
The APT40 group – which is also known in various supplier matrices as Kryptonite Panda, Gingham Typhoon, Leviathan and Bronze Mohawk – is a highly active group that is likely based in the city of Haikou in Hainan Province, an island off the south coast of China, about 300 miles west of Hong Kong. It receives its tasking from the Hainan State Security Department of China’s Ministry of State Security (MSS).
It was likely one of a number of APTs involved in a 2021 series of cyber attacks orchestrated via compromises in Microsoft Exchange Server. In July of that year, four members of the group were indicted by the US authorities over attacks targeting the aviation, defence, education, government, healthcare, biopharmaceutical and maritime sectors.
This campaign saw APT40 steal intellectual property on submersible and autonomous vehicles, chemical formulae, commercial aircraft servicing, genetic sequencing tech, research on diseases including Ebola, HIV/AIDS and MERS, and information to support attempts to win contracts for China’s state-owned enterprises.
APT40 is considered a particularly noteworthy threat thanks to its advanced capabilities – it is able to quickly transform and exploit proof-of-concepts (PoCs) of new vulnerabilities and turn them on victims, and its team members conduct regular reconnaissance against networks of interest looking for opportunities to use them.
It has been an enthusiastic user of some of the most widespread and notable vulnerabilities of the past few years, including the likes of Log4j – indeed, it continues to find success exploiting some bugs that date as far back as 2017.
The group seems to favour targeting public-facing infrastructure over techniques that require user interaction – such as phishing via email – and places great value on obtaining valid credentials to use in its attacks.
Mitigating an APT40 intrusion
Priority mitigations for defenders include keeping up to date logging, prompt patch management and implementing network segmentation.
Security teams should also take steps to disable unused or unneeded network services, ports or firewalls, implement web application firewalls (WAFs), enforce least privilege policies to limit access, enforce multifactor authentication (MFA) on all internet accessible remote access services, replace end-of-life kit, and review custom applications for potentially exploitable functionality.