Tuesday, July 16, 2024

China's APT40 Gang is Ready to Attack Vulnerabilities Within Hours or Days

An advisory led by Australia, involving law enforcement agencies from the US, Canada, New Zealand, Japan, South Korea, the UK, and Germany, has revealed the tradecraft of the China-aligned threat actor APT40, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk. This state-sponsored cyber group, backed by the PRC Ministry of State Security, prioritizes developing and deploying exploits for new vulnerabilities rapidly. The advisory details how APT40 conducts regular reconnaissance to identify unpatched or obsolete devices, allowing swift deployment of exploits. 


APT40's targets include vulnerabilities like Log4J and Microsoft Exchange, often exploiting end-of-life small-office/home-office (SOHO) devices to mask their attacks as legitimate traffic. The group uses web shells and searches for valid user credentials to maintain persistent access, ultimately installing malware to exfiltrate information.


The advisory provides mitigation tactics such as logging, patch management, network segmentation, multifactor authentication, disabling unused services, web application firewalls, least privilege access, and replacing outdated equipment. It also includes links to ten malware samples used by APT40 and two case studies, though these may now be outdated. This information stems from Australia's Cyber Security Centre's 2022 investigation into an APT40 attack on a local organization.


https://bit.ly/4bKhM24


"The advisory is the result, and suggests that APT40 "possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability." The gang also watches networks of interest to look for unpatched targets."


"...Some of the vulns APT40 targets are old news – Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084). and Microsoft Exchange (CVE-2021-31207, CVE 2021-34523, CVE-2021-34473) are high on the hit list."


"The advisory outlines mitigation tactics that are said to offer decent defences against APT40. They're not rocket science: logging, patch management, and network segmentation are all listed.

So are multifactor authentication, disabling unused network services, use of web application firewalls, least privilege access, and replacement of end-of-life equipment."

Wednesday, July 10, 2024

Cobalt Strike Crackdown of Europol


International joint operations are strongly needed against the bad guys.

Europol announced that a week-long operation at the end of June dropped nearly 600 IP addresses that supported illegal copies of Cobalt Strike.


Cobalt Strike is a commercial penetration testing tool for red team operations, featuring a command and control framework, the Beacon payload for post-exploitation, and supports attack vectors like spear-phishing. It emulates advanced threats to test and enhance cybersecurity defenses.


https://bit.ly/3XWM66f


"Europol said the disruptive action, dubbed Operation Morpheus, is the culmination of work that began three years ago. It was carried out with partners in the private sector between June 24 and 28."


"A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down."


"This investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States. Europol coordinated the international activity and liaised with the private partners."


"Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation-state actors, such as Russian and Chinese [groups], to facilitate intrusions in cyber espionage campaigns."


"According to its telemetry, China hosts 43.85 percent of Cobalt Strike resources. To put that in context, the next biggest distributor is the US with a 19.08 percent share."


"Since Fortra bought Cobalt Strike in 2020, it has made strides in ensuring criminals don't get access to legitimate versions of its tools. For example, it soon started vetting all applicants vigorously before giving licenses out, but cracked versions in hard-to-reach places like China may prove difficult to eradicate for good."