Multiple international cybersecurity agencies jointly warn of a PRC state-sponsored cyber group, linked to the Ministry of State Security and known by various names like APT40, Leviathan.
The group, based in Hainan Province, has targeted organizations globally, including in Australia and the US.
The Australian authorities recently released an advisory that provides case studies of their techniques, offering cybersecurity practitioners insights to identify, prevent, and remediate intrusions by this threat actor.
Chinese APT40 Is Ready To Exploit
APT40, though a persistent concern for Australian and other regional networks, adapts quickly to take advantage of fresh vulnerabilities.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
They perform regular reconnaissance missions to identify weak infrastructural spots and prioritize the theft of credentials.
Having compromised websites in the past, the group shifted its focus to SOHO devices and is now using them as operational infrastructure and last-hop redirectors.
Like certain PRC-backed state actors, APT40’s adoption of this strategy enables it to pass off as actual traffic while encountering network defenders.
The investigation was triggered by the Australian Signals Directorate’s ACSC as a result of a network compromise by APT40 between July and September 2022.
The group abused a custom web application, which led to multiple access vectors and horizontal movement inside the network.
There was host enumeration, web shell usage, and sensitive data exfiltration including privileged credentials.
Through investigations, it has been established that there was deliberate targeting of a state-sponsored actor which underscores the need for proper network security measures as well as logging configurations.
Here’s the timeline:-
The MITRE ATT&CK framework documents the cyber threat tactics. In April 2022, APT40 most likely breached an organization’s network by using a vulnerable remote access portal.
Web shells were planted to execute credential theft and potentially gain unauthorized access to internal systems.
The major tricks that they used involved public-facing apps’ exploitation, web shells deployment, login data capture, and lateral movement trials.
Australian Cyber Security Centre, established under the jurisdiction of the Australian Signals Directorate investigated and provided recommendations for remediation.
Mitigations
Here below we have mentioned all the mitigations:-
- Maintaining proper logging history
- Patch management
- Network segmentation
- Disable unnecessary network services and ports
- Implement web application firewalls (WAFs)
- Enforce least privilege access
- Use multi-factor authentication (MFA) for all remote access
- Replace outdated equipment
- Review and secure custom applications
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo