Skip to content

Search the site


NCSC issues urgent security alert over Chinese threat actor's 'evolving' techniques

A group called 'APT40' working for China's Ministry of State Security is allegedly capable of exploiting POCs within hours or days of public release

The NCSC and CISA have joined with six other countries' cyber security agencies to issue a warning about the new tactics being used by Chinese state-sponsored cyber attackers.

A threat actor called 'APT40' is believed to be conducting malicious cyber operations on behalf of China's Ministry of State Security, the advisory said.

It has been blamed for breaching both government and private networks in Australia, and has the ability to "rapidly transform and adapt exploit proof-of-concepts (POCs) of new vulnerabilities" and "immediately utilise them against target networks."

The advisory's authors expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.

"The threat group APT40 has embraced the trend of exploiting vulnerable small-office and home-office (SoHo) devices as a launching pad for attacks," the NCSC wrote. "These devices are softer targets when they are not running the latest software, or are no longer supported with security updates, and they more easily conceal malicious traffic. 

APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084) and Microsoft Exchange (CVE-2021-31207; CVE-2021-34523; and VE-2021-34473).

Previously reported as being based in Haikou, Hainan Province, and taking its orders from the PRC MSS, the Hainan State Security Department, APT40's activity and techniques "overlap" with the cybercrime groups Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk.

See also: China's I-Soon-linked threat group hit 70 organisations in 45 countries

According to the advisory, APT40 prefers exploiting vulnerable, public-facing infrastructure over techniques that require user interaction such as phishing campaigns.

It also "places a high priority on obtaining valid credentials for follow-on activities" and conducts regular reconnaissance against networks of interest.

Through this reconnaissance, it is able to identify vulnerable, end-of-life and no longer maintained devices that are vulnerable to its exploits.

Source: Cyber.GOV.AU

The advisory shares two case studies of APT40 intrusions. In the first instance, the threat actor was able to access vast amounts of sensitive data by moving laterally through the network. Access was largely possible due to the group's establishment of multiple access vectors into the network, the network's flat structure, and the use of insecure internally developed software that could be manipulated to perform arbitrary file uploads.

In the second instance, the threat actor compromised part of an organisation's network via the organisation’s remote access login portal. The affected server was likely compromised by multiple actors and was affected by a remote code execution vulnerability.

The threat actor was able to exfiltrate several hundred unique username and password pairs, along with a number of multi-factor authentication codes and technical artefacts related to remote access sessions.

In terms of mitigation, the advisory recommends reviewing and implementing the guidance on Windows Event Logging and Forwarding, along with prompt patch management to mitigate any public vulnerabilities.

The advisory also recommends network segmentation to make it more difficult for threat actors to gain access to sensitive data.

See also: Fake OpenSSH "exploit" is a real exploit. Just not the one you thought.