A joint agency advisory has raised the alarm that APT40, a Chinese state-sponsored threat group, is actively targeting Australian government and private sector networks. The Australian Cyber Security Centre (ACSC) led the release of the advisory, which was co-authored by agencies from the U.S., U.K., Germany, New Zealand, Japan, and Korea. This advisory highlighted the ongoing threat posed by APT40 to Australian networks and provided examples of recent intrusions.
While the attacks from APT40 on Australian organizations are currently underway, this malicious activity is not new. The agencies involved in the advisory have observed similar tactics, techniques, and procedures (TTPs) used by APT40 to target organizations in various countries, including the United States, in the past.
According to the advisory, APT40 is a persistent threat to multiple countries and has been known to exploit known vulnerabilities and compromise small office/home office devices. The threat group has the ability to quickly adapt and exploit new vulnerabilities, making it a significant danger to organizations with vulnerable infrastructure.
APT40 has been successful in exploiting vulnerabilities dating back to 2017, targeting victims with a wide range of exploits including Log4Shell, Atlassian Confluence vulnerabilities, and Microsoft Exchange flaws. The advisory cautioned that APT40 regularly conducts reconnaissance on target networks to identify vulnerabilities and swiftly deploy their exploits.
The threat group prioritizes obtaining valid credentials and exploits vulnerabilities in public-facing systems to maintain access to victim environments. Additionally, APT40 has evolved its techniques over time, utilizing compromised devices with vulnerabilities for its operations in Australia instead of Australian-based websites as command and control hosts.
The advisory also provided two case studies of APT40’s tactics in action. In one instance, the threat group exfiltrated data including privileged authentication credentials from an organization, allowing them to move laterally through the victim’s network. In another case, APT40 targeted a public-facing application and used a web shell to maintain persistence while exploiting remote code execution, privilege escalation, and authentication bypass vulnerabilities.
Enterprises were urged to implement effective logging, patch management, and multi-factor authentication protocols to protect against APT40 and similar threat actors. The agencies advised organizations to apply security patches or mitigations to internet-facing infrastructure promptly and use the latest versions of software and operating systems where possible.
In a related development, in 2021, the Department of Justice unsealed an indictment against alleged members of APT40, accusing them of targeting victims worldwide for financial gain in sectors such as aviation, government, and healthcare.
Overall, the advisory serves as a stark reminder of the persistent threat posed by APT40 and the importance of proactively securing networks against evolving cyber threats. Organizations are urged to remain vigilant and implement robust cybersecurity measures to defend against sophisticated threat actors like APT40.