China Continues to Hack

12745021476?profile=RESIZE_400xIn a show of international cooperation, intelligence and cybersecurity agencies from eight countries have jointly accused China of orchestrating a series of cyberattacks on government networks.  The United States, United Kingdom, Canada, Australia, New Zealand, Germany, Japan, and South Korea have pointed the finger at APT40, a hacking group believed to be sponsored by China's Ministry of State Security.

See:  https://redskyalliance.org/transportation/anchor-panda-and-periscope-threat-actors-targeting-maritime-opera

The US Cybersecurity and Infrastructure Security Agency (CISA) and partner agencies released a detailed advisory outlining APT40's tactics, techniques, and procedures  https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a. According to the advisory, APT40 "has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing."[1]

One of the most alarming aspects of APT40's operations is its speed in exploiting new vulnerabilities.  The advisory states that the group "possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks."

Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit, emphasized the urgency of this threat, saying, "The race condition to win the war of patching is real, especially when it comes to nation-state groups like APT40 that weaponize exploits within hours or days of a patch release."

The group's tactics include exploiting vulnerable public-facing infrastructure, compromising credentials for privileged accounts, and using end-of-life or unpatched small-office/home-office (SOHO) devices as attack launching points.  They've been known to exploit vulnerabilities in widely used software such as Log4j, Atlassian Confluence, and Microsoft Exchange.

Darren Guccione, CEO and Co-Founder at Keeper Security, offered advice for organizations, saying, "Security teams must patch vulnerabilities promptly and keep an eye on advisories from trusted sources, especially in the case of APT40, which quickly adapts public proof-of-concept exploits."  He also stressed the importance of multi-factor authentication, regular audits of privileged accounts, and network segmentation.

The advisory includes anonymized case studies detailing APT40's intrusions into government networks.  In one instance, the group exploited a custom web application to gain initial access, then used compromised credentials to query Active Directory and exfiltrate data from multiple machines.

Tal Mandel Bar, Product Manager at DoControl, noted that while APT40 is sophisticated, much of its success comes from exploiting basic security lapses: "Focusing on core security hygiene patching, access controls, monitoring can go a long way in defending against groups like this," Mandel Bar said.

This joint advisory marks a significant step in international cybersecurity cooperation. By sharing information and presenting a united front, these countries aim to shine a spotlight on China's alleged state-sponsored hacking activities and push for accountability in the global cyber arena.

As organizations worldwide grapple with this threat, the message from cybersecurity experts is clear: rapid patching, robust monitoring, and solid security fundamentals are vital to defending against APT40 and similar state-sponsored threat actors.

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

 

 

[1] https://www.secureworld.io/industry-news/intel-agencies-accuse-china-hacking

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!