In a recent development, multiple international cybersecurity agencies have issued a joint warning, highlighting the activities of a PRC state-sponsored cyber group known by various monikers such as APT40 and Leviathan. This group, based in Hainan Province, has been identified as being linked to the Ministry of State Security and has been targeting organizations globally, including those in Australia and the US.

The Australian authorities, in response to this threat, have released an advisory that sheds light on the techniques employed by this cyber group. The advisory aims to provide cybersecurity practitioners with valuable insights to help them identify, prevent, and remediate intrusions by this particular threat actor.

APT40 has emerged as a persistent concern for Australian and other regional networks, primarily due to its ability to quickly adapt and exploit fresh vulnerabilities. The group engages in regular reconnaissance missions to pinpoint weaknesses in infrastructure and focuses on stealing credentials. In the past, APT40 targeted compromised websites, but it has since shifted its attention to SOHO devices, which are now being used as operational infrastructure and last-hop redirectors. By adopting this strategy, the group can camouflage itself as legitimate traffic, making it challenging for network defenders to detect malicious activities.

The investigation into APT40 was initiated by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) following a network compromise by the cyber group between July and September 2022. During this incursion, APT40 exploited a custom web application, leading to multiple access points and lateral movement within the network. Various tactics were employed, including host enumeration, web shell deployment, and exfiltration of sensitive data, including privileged credentials. The investigation revealed that the group deliberately targeted a state-sponsored actor, underscoring the critical need for robust network security measures and logging configurations.

The MITRE ATT&CK framework documents the cyber threat tactics employed by APT40, highlighting how the group breached an organization’s network through a vulnerable remote access portal in April 2022. Web shells were planted to facilitate credential theft and potentially gain unauthorized access to internal systems. The group’s techniques included exploiting public-facing applications, deploying web shells, capturing login data, and attempting lateral movement within the network.

In response to these threats, the Australian Cyber Security Centre has provided recommendations for mitigating the risks posed by APT40. These include maintaining comprehensive logging records, implementing patch management practices, segmenting networks, disabling unnecessary network services and ports, deploying web application firewalls (WAFs), enforcing least privilege access, utilizing multi-factor authentication (MFA) for all remote access, replacing outdated equipment, and reviewing and securing custom applications.

Overall, the activities of APT40 underscore the increasing sophistication and persistence of state-sponsored cyber threats. By staying vigilant and implementing robust cybersecurity measures, organizations can better protect themselves against potential intrusions and safeguard their sensitive data from malicious actors. It is essential for cybersecurity professionals to remain informed about emerging threats and take proactive steps to enhance their security posture in a rapidly evolving threat landscape.

Lidhja e burimit