Chinese state-sponsored actor, APT40, is making headlines for its aggressive targeting of newly discovered software vulnerabilities. The joint government advisory, authored by cybersecurity agencies from the US, Australia, the UK, Canada, New Zealand, Germany, South Korea, and Japan, has revealed that APT40 is actively exploiting these vulnerabilities within hours of their discovery.
This cyber group has been targeting organizations across various sectors using tactics commonly employed by other state-sponsored actors in China. The advisory specifically warns about the group’s repeated targeting of Australian networks and emphasizes that APT40 poses an ongoing threat.
Unlike some threat actors that rely on user interaction for their attacks, APT40 prefers to target vulnerable, public-facing infrastructure and prioritize the acquisition of valid credentials. They are quick to jump on public exploits as soon as they become available, creating a “patching race” scenario for organizations.
Tal Mandel Bar, a product manager at DoControl, noted that APT40’s focus on public-facing infrastructure indicates a preference for the path of least resistance. This approach eschews elaborate phishing campaigns in favor of direct attacks on exposed vulnerabilities.
The advisory also highlights that while APT40 targets newly disclosed bugs, the group has a sizable arsenal of older exploits at its disposal. This underscores the importance of comprehensive vulnerability management practices for organizations.
Darren Guccione, CEO and co-founder of Keeper Security, emphasized the critical need for prompt patching and vigilance in monitoring advisories from trusted sources, particularly in the case of APT40. Given the group’s propensity to exploit vulnerable devices, organizations are urged to update their software regularly and apply patches immediately upon public disclosure of vulnerabilities.
APT40’s activities extend beyond exploiting software vulnerabilities. The cyber group conducts extensive reconnaissance against targeted networks, including those in the countries of the agencies issuing the advisory. APT40 deploys web shells for persistence and focuses on exfiltrating sensitive information from repositories.
Chris Grove, director of cybersecurity strategy at Nozomi Networks, highlighted the dual use of data stolen by APT40 for state espionage and subsequent transfer to Chinese companies. Organizations with critical data or operations are advised to enhance their defenses in response to these threats, with advanced anomaly detection systems being recommended for threat hunting.
The advisory also mentioned APT40’s evolving tactics, such as using compromised endpoints like small-office/home-office (SOHO) devices for operations. This shift has enabled authorities to better track the group’s activities. Furthermore, similarities between APT40 and other China-backed threat groups like Volt Typhoon, Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk were noted.
To combat the threat posed by APT40, the advisory provides mitigation techniques for the group’s main tactics, techniques, and procedures (TTPs), including initial access, execution, persistence, and privilege escalation. By implementing these recommendations and staying vigilant, organizations can better defend against APT40’s sophisticated cyber operations.
In conclusion, APT40’s aggressive targeting of software vulnerabilities and sophisticated cyber activities underscore the need for robust cybersecurity measures and proactive defense strategies in today’s increasingly complex threat landscape. Organizations must remain vigilant, prioritize patching, and enhance their security posture to mitigate the risk posed by state-sponsored threat actors like APT40.