China's APT40 Gang is Ready to Attack Vulnerabilities Within Hours or Days

An advisory led by Australia, involving law enforcement agencies from the US, Canada, New Zealand, Japan, South Korea, the UK, and Germany, has revealed the tradecraft of the China-aligned threat actor APT40, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk. This state-sponsored cyber group, backed by the PRC Ministry of State Security, prioritizes developing and deploying exploits for new vulnerabilities rapidly. The advisory details how APT40 conducts regular reconnaissance to identify unpatched or obsolete devices, allowing swift deployment of exploits. 

APT40's targets include vulnerabilities like Log4J and Microsoft Exchange, often exploiting end-of-life small-office/home-office (SOHO) devices to mask their attacks as legitimate traffic. The group uses web shells and searches for valid user credentials to maintain persistent access, ultimately installing malware to exfiltrate information.

The advisory provides mitigation tactics such as logging, patch management, network segmentation, multifactor authentication, disabling unused services, web application firewalls, least privilege access, and replacing outdated equipment. It also includes links to ten malware samples used by APT40 and two case studies, though these may now be outdated. This information stems from Australia's Cyber Security Centre's 2022 investigation into an APT40 attack on a local organization.

https://bit.ly/4bKhM24

"The advisory is the result, and suggests that APT40 "possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability." The gang also watches networks of interest to look for unpatched targets."

"...Some of the vulns APT40 targets are old news – Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084). and Microsoft Exchange (CVE-2021-31207, CVE 2021-34523, CVE-2021-34473) are high on the hit list."

"The advisory outlines mitigation tactics that are said to offer decent defences against APT40. They're not rocket science: logging, patch management, and network segmentation are all listed.

So are multifactor authentication, disabling unused network services, use of web application firewalls, least privilege access, and replacement of end-of-life equipment."

Cobalt Strike Crackdown of Europol

International joint operations are strongly needed against the bad guys.

Europol announced that a week-long operation at the end of June dropped nearly 600 IP addresses that supported illegal copies of Cobalt Strike.

Cobalt Strike is a commercial penetration testing tool for red team operations, featuring a command and control framework, the Beacon payload for post-exploitation, and supports attack vectors like spear-phishing. It emulates advanced threats to test and enhance cybersecurity defenses.

https://bit.ly/3XWM66f

"Europol said the disruptive action, dubbed Operation Morpheus, is the culmination of work that began three years ago. It was carried out with partners in the private sector between June 24 and 28."

"A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down."

"This investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States. Europol coordinated the international activity and liaised with the private partners."

"Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation-state actors, such as Russian and Chinese [groups], to facilitate intrusions in cyber espionage campaigns."

"According to its telemetry, China hosts 43.85 percent of Cobalt Strike resources. To put that in context, the next biggest distributor is the US with a 19.08 percent share."

"Since Fortra bought Cobalt Strike in 2020, it has made strides in ensuring criminals don't get access to legitimate versions of its tools. For example, it soon started vetting all applicants vigorously before giving licenses out, but cracked versions in hard-to-reach places like China may prove difficult to eradicate for good."

Firewalls vs. 911

Imagine that you are in an emergency situation and are calling the emergency number (911, 112, etc.) of your country but you cannot reach them. What would you do and how would you feel?

Well, this is not only a fictitious scenario that happened in Massachusetts in USA. (One of the states of USA with a population of almost 7 million.) The 911 Department of the state was unreachable for 2 hours because of a safety feature on a firewall which was supposed to provide protection against cyber attacks and hacking. Actually, it seems to be that the feature was successful to prevent cyberattacks, as well as legitimate users.

An additional firewall feature can enhance your confidentiality but can also have a crippling effect on your availability in your system. (Remember AIC triangle.) You have to be more than careful if you are working with the critical structures of a region. Money costs can be affordable but life costs CANNOT.

https://bit.ly/3zg0s7I

"On June 18, 2024, at approximately 1:15 pm, the Massachusetts State 911 Department became aware of a statewide interruption to the 911 system. The disruption lasted approximately two hours until operation was fully restored at 3:15 pm."

"A preliminary investigation conducted by the State 911 Department and Comtech determined that the outage was the result of a firewall, a safety feature that provides protection against cyberattacks and hacking. The firewall prevented calls from getting to the 911 dispatch centers, also known as Public Safety Answer Points (PSAPs). Comtech’s initial review of the incident has confirmed that the interruption was not the result of a cyberattack or hack; However, the exact reason the firewall stopped calls from reaching dispatch centers remains under review."

"In 2023, Massachusetts’ 204 Public Safety Answering Points received a total average of 8,800 calls a day."

Norway Recommends Replacing SSL VPN to Prevent Breaches

 A nice cybersecurity step from Norwegian National Cyber Security Centre (NCSC).

The Norwegian National Cyber Security Centre (NCSC) recommends replacing SSLVPN/WebVPN solutions with alternatives due to the repeated exploitation of related vulnerabilities in edge network devices to breach corporate networks.

NCSC's official recommendation for users of Secure Socket Layer Virtual Private Network (SSL VPN/WebVPN) products is to switch to Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2).

IKEv1 has some vulnerabilities for some product families i.e. "IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products (CVE-2016-6415)" (CVSS 3.0 score is 7.5)

https://bit.ly/4dGmfVI

"The Norwegian National Cyber Security Centre (NCSC) recommends replacing SSLVPN/WebVPN solutions with alternatives due to the repeated exploitation of related vulnerabilities in edge network devices to breach corporate networks."

"While the cybersecurity organization admits IPsec with IKEv2 isn't free of flaws, it believes switching to it would significantly reduce the attack surface for secure remote access incidents due to having reduced tolerance for configuration errors compared to SSLVPN."

"Unlike IPsec, which is an open standard that most companies follow, SSLVPN does not have a standard, causing network device manufacturers to create their own implementation of the protocol."

"As an example, Fortinet revealed in February that the Chinese Volt Typhoon hacking group exploited two FortiOS SSL VPN flaws to breach organizations, including a Dutch military network."

"In 2023, the Akira and LockBit ransomware operations exploited an SSL VPN zero-day in Cisco ASA routers to breach corporate networks, steal data, and encrypt devices.

Earlier that year a Fortigate SSL VPN vulnerability was exploited as a zero-day against government, manufacturing, and critical infrastructure."

Payroll Data Breach of Ministry of Defence of UK

If your systems rely on digital platforms (which is inevitable today) then you cannot be an exception of cyber attacks. If you did not take necessary cybersecurity countermeasures then your end is not difficult to guess.

The cyber victim of this week was the Ministry of Defense of the United Kingdom.

UK Government has confirmed a cyberattack on the payroll system used by the Ministry of Defence (MoD) where hackers have accessed personal information of former armed forces personnel, including names, financial data, and in some cases home addresses.

The affected systems have been pulled offline but there is no indication as to how long the attackers had access to the data.

https://bit.ly/3JWRXAz

"UK Government has confirmed a cyberattack on the payroll system used by the Ministry of Defence (MoD) led to "malign" forces accessing data on current and a limited number of former armed forces personnel.

There is no evidence to suggest that the criminals who broke into the systems actually removed any data, but they did access personal information including names, financial data, and in some cases home addresses."

"The UK isn't formally attributing the activity to any specific individual or group, but sources speaking to Sky, which broke the news, suggested China was behind it."