The Chinese state-sponsored threat group known as APT40 is targeting Australian government and private sector networks, according to a joint agency advisory. The advisory, co-authored by the Australian Cyber Security Centre (ACSC), CISA, the FBI, the National Security Agency, the U.K.'s National Cyber Security Centre, and several other agencies, warns that APT40 poses an ongoing threat to several countries [c947b642].
APT40 has the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks. The group has been observed exploiting known vulnerabilities and compromising small office/home office devices [c947b642].
In July 2021, the U.S. and its allies indicted several members of APT40 for orchestrating a multiyear campaign aimed at stealing trade secrets, intellectual property, and high-value information [fee475de].
The advisory provides examples of intrusions and urges organizations to implement effective logging, patch management, and multi-factor authentication protocols. It also recommends maintaining logging mechanisms, enforcing multi-factor authentication, implementing patch management, replacing end-of-life equipment, disabling unused services, ports, and protocols, and segmenting networks [c947b642] [fee475de].
This joint advisory sheds light on the ongoing threat posed by APT40 and emphasizes the need for organizations to implement robust cybersecurity measures to protect against the group's rapid exploit adaptation. It also highlights the previous indictment of APT40 members for their involvement in cyber espionage activities [c947b642] [fee475de].
Chinese threat group APT40, as early as 2017, has been rapidly exploiting proof-of-concepts (POCs) of new vulnerabilities and using them against networks with end-of-life devices. The group targets widely used software such as Atlassian Confluence and Microsoft Exchange, exploiting vulnerabilities like CVE-2021-44228, CVE-2021-31207, CVE-2021-26084, CVE-2021-34523, and CVE-2021-34473. APT40 is expected to continue exploiting new vulnerabilities within hours or days of their public release. The group prefers exploiting vulnerable, public-facing infrastructure over phishing campaigns and aims to obtain valid credentials for follow-on activities. Security teams are urged to patch quickly and focus on rapid patching for internet-facing systems. Multi-factor authentication, regular audits of privileged accounts, network segmentation, continuous monitoring, and incident response plans are recommended countermeasures [387f41aa].
This new information highlights APT40's targeting of end-of-life devices and its preference for exploiting vulnerable, public-facing infrastructure. It also provides specific vulnerabilities that the group has been observed exploiting. The advisory emphasizes the importance of rapid patching, multi-factor authentication, and other countermeasures to mitigate the risk posed by APT40 [387f41aa].
Chinese state-sponsored threat group APT40 is actively exploiting newly discovered software vulnerabilities at a rapid pace. The group focuses on public-facing infrastructure and aims to obtain valid credentials for follow-on activities. APT40 conducts extensive reconnaissance against networks of interest and deploys web shells for persistence. The stolen data is used for state espionage and transferred to Chinese companies. The group has evolved its techniques, including using compromised endpoints for operations. A joint advisory by multiple government agencies provides details on APT40's tactics, techniques, and procedures [8e8d8a28].