Close allies of the United States detailed how APT40 is conducting attacks on end-of-life devices in Australia and warn in a joint advisory that the Chinese state-sponsored group is a threat.
The July 8 advisory was issued by security agencies from the United States, Australia, Canada, Germany, Japan, New Zealand, South Korean and the United Kingdom. The list of agencies from the United States included the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA).
Most notably, the authors said that as early as 2017, APT40 has had the ability to rapidly transform and exploit proof-of-concepts (POCs) of new vulnerabilities and immediately use them against its targets, typically networks with end-of-life devices.
APT40 then exploits newly public vulnerabilities in widely used software such as Log4j (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473).
The security agencies said they expected APT40 to continue using POCs for new high-profile vulnerabilities within hours or days of public release. They also said APT40 tends to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and APT40 aims to obtain valid credentials to conduct a range of follow-on activities.
“APT40's speed in exploiting new vulnerabilities is definitely concerning,” said Tal Mandel Bar, product manager at DoControl. “They're essentially weaponizing PoC code almost as fast as it's published. This puts a lot of pressure on security teams to patch quickly.”
Bar added that the focus on public-facing infrastructure is interesting, saying it shows APT40 will look for the path of least resistance: Why bother with elaborate phishing campaigns when you can just hit exposed vulnerabilities directly?
“For security teams, this really emphasizes the importance of rapid patching, especially for internet-facing systems,” said Bar. “You can't afford to drag your feet when APT40 could be exploiting a new vulnerability within hours.”
Darren Guccione, co-founder and CEO at Keeper Security added that multi-factor authentication and regular audits of privileged accounts are essential to counter APT40’s focus on compromised credentials. Teams also need to apply network segmentation and continuous monitoring, which Guccione said will aid in catching intrusions early.
“Additionally, having a solid incident response plan in place and running regular drills can keep teams prepared for cyber threats,” said Guccione. “Because this group regularly exploits vulnerable, end-of-life or no longer maintained devices — including vulnerabilities from as early as 2017 — it is imperative that organizations regularly update their software and apply patches as soon as vulnerabilities are made public. Devices that are no longer maintained or cannot be patched quickly should be taken offline.”
