The Certified Information Systems Auditor (CISA) recently published a joint security advisory on APT40, a threat group known for its prominent role in China’s cyber espionage and state-sponsored operations, similar to the previously reported APT41. Multiple national international security and intelligence agencies contributed to the data in the APT40 advisory, which documents two case studies. The case studies provide information about APT40’s recent attacks against Australian networks and their attack structure. The advisory also includes defensive and remediation approaches to counteract them.

To grasp the significance of CISA’s findings, it’s crucial to dive deeper into the nature of APT40’s operations and the implications for cybersecurity. Let’s explore the key insights and strategic recommendations highlighted in the advisory.

Identifying APT40

APT40 is a nation-state sponsored threat group that has executed cyberattacks against multiple regions, which include the United States, Australia, and countries in Europe. CISA reported that China’s Ministry of State Security (MSS) supports APT40’s activities. Intelligence agencies linked their operations to a Hainan division known as the Hainan State Security Department. The threat group remains a strategically motivated, resourceful, and formidable adversary in their cyber espionage and economic campaigns. CISA referenced observations made by the Australian Signals Directorate’s ACSC in their notice, including APT40’s victims. The targets of APT40 span government entities, defense contractors, healthcare, engineering companies, research institutions, and managed service providers.

The threat group has been active for more than a decade, with operations predating 2014. There are various aliases used for APT40 and threat groups who engage in similar tactics. According to CISA, these include Bronze Mohawk, Gingham Typhoon, Kryptonite Panda, and Leviathan. Other aliases include Mudcarp, Bronze Mohawk, TEMP.Periscope, TEMP.Jumper, and Gadolinium.

Components of an APT40 Attack

Reconnaissance and Initial Access

APT40 makes use of different tools, both open source and customized, to perform reconnaissance, whichmay consist of scraping victim domains and old archives or examining other data collated from past attacks.

CISA established that APT40 has the resources to identify hosts which is vital for them to plan timely cyberattacks. APT40 can run open-source scanners or custom scripts to execute commands that return data about specific vulnerable hosts in a target environment. Equipped with utilities that typically exploit known vulnerabilities like Log4J, Microsoft Exchange and Atlassian they can gain the first foothold into a vulnerable application or server.

Maintaining Access

Following initial access to the environment and the mapping of its structures, APT40 can manage additional tools –including a Trojan – to modify system settings, escalate privileges, and create new accounts and a backdoor, written in JavaScript to establish persistence. Conditions to run scheduled tasks and run an executable at startup are set to ensure that the malware persists.

Command-and-Control

At the command-and-control (C2) stage, it is common for APT40 to use either PowerShell frameworks or web shells combined with their own infrastructure (server) to communicate with and the victim’s system and exercise control.

CISA identified a shift in APT40's command and control (C2) tactics, indicating a more sophisticated approach. Previously, APT40 relied solely on their own infrastructure, like dedicated servers and domains, to communicate with compromised victim networks. However, they've recently expanded their toolbox by leveraging compromised Small Office/Home Office (SOHO) devices.

Think of SOHO devices as everyday network equipment found in small businesses and home offices. This includes routers, switches, and Network Attached Storage (NAS) devices. Once APT40 gains control of these devices, they can exploit them as proxies. In essence, these compromised SOHO devices act like intermediaries, relaying APT40's instructions (C2 traffic) to the infected network. This obfuscates the true source by masking it with legitimate protocols, like HTTPS, making it appear like normal internet traffic.

Exfiltration

In the exfiltration phase, CISA called attention to APT40’s archiving of files and directories. The threat actor may then transfer that data to a temporary path that is commonly accessible. Then, they leverage RDP or other protocols to route the data back to the C2 infrastructure. File sync agents are other tools they can employ.

Indicators of Compromise

The table below includes hashes of APT40’s tools that were recently reported.

Hashes

MD5	File Name
26a5a7e71a601be991073c78d513dee3	horizon.jsp
87c88f06a7464db2534bc78ec2b915de	Index_jsp$ProxyEndpoint$Attach.class
6a9bc68c9bc5cefaf1880ae6ffb1d0ca	Index_jsp.class
64454645a9a21510226ab29e01e76d39	Index_jsp.java
e2175f91ce3da2e8d46b0639e941e13f	Index_jsp$ProxyEndpoint.class
9f89f069466b8b5c9bf25c9374a4daf8	Index_jsp$ProxyEndpoint$1.class
187d6f2ed2c80f805461d9119a5878ac	Index_jsp$ProxyEndpoint$2.class
ed7178cec90ed21644e669378b3a97ec	Nova_jsp.class
5bf7560d0a638e34035f85cd3788e258	Nova_jsp$TomcatListenerMemShellFromThread.class
e02be0dc614523ddd7a28c9e9d500cff	Nova_jsp.java

Remediation Strategies

There are several strategies that can be implemented to reduce the likelihood and impact of an APT attack. These include:

Patch Management: Patch management refers to a set of actions companies take to deploy a fix while identifying and mitigating critical vulnerabilities. Regularly deploying patches enables an organization to lower the risk of an attack due to unpatched or out of date systems and software. Patch management protocols should also support common vulnerability management practices such as prioritizing issues based on their criticality.
IAM Practices: A crucial part of Identity and Access Management (IAM) lies in maintaining least privilege security, only allowing the access type(s) and services necessary for a user to perform their essential responsibilities is one way to prevent the misuse of user accounts. Also, implementing a strong password policy and multi-factor authentication (MFA) can make it harder for an attacker to obtain credentials in a cyberattack.
Network Segmentation: A network is a vast space made up of physical and virtual assets and their integrated components. Keeping critical areas of a network contained on a separate subnetwork helps to limit opportunities for an attack to reach a wider population.
Defense in Depth: Multilayered security is a proactive approach for managing security controls that fulfil security objectives in more than one category, including prevention, protection, detection, and response.
Collecting and analyzing log data are actions that support essential operations like monitoring events, performing post-incident analysis, and conducting forensic investigations. Updating the events and log configurations to ensure that a range of relevant security events are captured and visible allows an organization to track and examine anomalous activities.
Detection and Response: Detection and response technologies such as Managed Detection and Response, Endpoint Detection and Response, and Extended Detection and Response are often leveraged so an organization can be promptly alerted to potential threats in their environment and take the measures needed to assess and respond to the threat.
Threat Intelligence: Understanding how a threat actor operates and the nature of their attacks is important. A threat intelligence solution such as Bitdefender’s IntelliZone takes all the knowledge we have gathered regarding cyber threats and the associated threat actors into a single pane of glass for the security analysts. IntelliZone also includes access to Bitdefender’s next-generation malware analysis service.

By implementing these strategies, organizations can reduce their attack surface and strengthen their defenses to protect their assets against threats posed by cyber adversaries in our evolving threat landscape.