Chinese Threat Group APT40 Exploits N-Day Vulns at Rapid Pace

APT40, a Chinese state-sponsored actor, is targeting newly discovered software vulnerabilities with the goal of exploiting them within hours, according to a joint government advisory.

The advisory — authored by the Cybersecurity and Infrastructure Security Agency, FBI, and National Security Agency in the US, as well as government agencies in Australia, the UK, Canada, New Zealand, Germany, South Korea, and Japan — said the cyber group has targeted organizations in a variety of different arenas, using techniques that are commonly used by other state-sponsored actors in China. It has repeatedly targeted Australian networks, for instance, and it remains an ongoing threat, the agencies warned.

Rather than using techniques that require user interaction, the group seemingly prefers to exploit vulnerable, public-facing infrastructure and prioritizes obtaining valid credentials. It often hops on public exploits as soon as they become available, setting up a "patching race" condition for organizations.

"The focus on public-facing infrastructure is interesting. It shows they're looking for the path of least resistance; why bother with elaborate phishing campaigns when you can just hit exposed vulnerabilities directly?" says Tal Mandel Bar, product manager at DoControl.

The APT targets newly disclosed bugs but also has plenty of older exploits at its disposal, the agencies said. Thus, a comprehensive vulnerability management effort is in order.

"it’s imperative for security teams to patch vulnerabilities promptly and keep an eye on advisories from trusted sources, especially in the case of APT40, which quickly adapts public proof-of-concept (PoC) exploits," Darren Guccione, CEO and co-founder at Keeper Security, wrote in an email to Dark Reading. "Because this group regularly exploits vulnerable, end-of-life or no longer maintained devices — including vulnerabilities from as early as 2017 — it is imperative that organizations regularly update their software and apply patches as soon as vulnerabilities are made public. Devices that are no longer maintained or cannot be patched quickly should be taken offline."

APT40's Extensive Reconnaissance Efforts

APT40 regularly conducts reconnaissance against networks of interest, "including networks in the authoring agencies' countries, looking for opportunities to compromise its targets," according to the joint advisory. The group then deploys Web shells for persistence, and focuses on exfiltrating information from sensitive repositories.

"The data stolen by APT40 serves dual purposes: It is used for state espionage and subsequently transferred to Chinese companies," Chris Grove, director of cybersecurity strategy at Nozomi Networks, wrote in an emailed statement to Dark Reading. "Organizations with critical data or operations should take these government warnings seriously and strengthen their defenses accordingly. One capability that assists defenders in hunting down these types of threats is advanced anomaly detection systems, acting as intrusion detection for attackers able to 'live off the land' and avoid deploying malware that would reveal their presence."

APT40 has evolved its techniques, as well, embracing using compromised endpoints such as small-office/home-office (SOHO) devices for operations, which have ultimately led to the authoring agencies being able to better track the group. That tactic, infamously used by Volt Typhoon, is one of many aspects of the group's activity that's similar to other China-backed threat groups such as Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk, the advisory noted.

In the advisory, the agencies provide mitigation techniques for the four main types of tactics, techniques, and procedures (TTPs) that APT40 uses, including initial access, execution, persistence, and privilege escalation.