AdvisoriesCISAAA24-190AJuly 9, 2024
July 9, 2024
The advisory, authored by multiple international cybersecurity agencies, outlines the activities of a PRC state-sponsored cyber group, identified as APT40, targeting networks in various countries including Australia. This group, associated with the PRC Ministry of State Security (MSS), is known for its rapid exploitation of newly disclosed vulnerabilities in widely used software like Log4J, Atlassian Confluence, and Microsoft Exchange.
APT40 prioritizes exploiting vulnerable, public-facing infrastructure and obtaining valid credentials to facilitate further malicious activities. Their techniques include using web shells for persistence, compromising devices like small-office/home-office (SOHO) devices as operational infrastructure, and leveraging these compromised devices to conduct reconnaissance and launch attacks. The group's activities often involve host enumeration, web shell deployment, and lateral movement through networks using legitimate credentials obtained through various means, including exploiting software vulnerabilities.
Case studies detailed in the advisory show that APT40 has successfully compromised networks by exploiting remote access portals and leveraging insecure, internally developed software to upload malicious files. These compromises often result in significant data exfiltration, including sensitive credentials, which enable the group to maintain and regain access even after initial vectors are blocked.
APT40's method of exploiting public-facing applications for initial access highlights the critical need for robust security measures around externally accessible infrastructure. Organizations should prioritize the regular updating and patching of all public-facing applications to mitigate the risk posed by such vulnerabilities. The rapid adoption of proof-of-concept exploits by groups like APT40 necessitates a proactive approach to vulnerability management.Web shell persistence is a favored technique of APT40, allowing them to maintain a foothold within compromised environments.
Web shells provide a stealthy method for executing commands and furthering an intrusion. To counter this, organizations must implement stringent monitoring and detection mechanisms for abnormal activities associated with web shells, including unexpected modifications to web server directories and unusual outbound traffic patterns.
APT40's use of cookie and JWT (JSON Web Token) theft, along with MFA interception, underlines the sophistication of their credential theft strategies. These techniques allow attackers to bypass authentication mechanisms and hijack user sessions. Organizations should enhance their security posture by implementing advanced threat detection systems capable of identifying and alerting on suspicious session activities and enforcing robust MFA policies that include protection against MFA fatigue and interception attacks.
Privilege escalation through exploiting known vulnerabilities like ZeroLogon and PrintNightmare is a common tactic employed by APT40. This underscores the importance of timely patching and the deployment of virtual patching solutions where immediate updates are not possible. Regular vulnerability scanning and a strong patch management process are essential to prevent attackers from leveraging these exploits.
The collection and use of legitimate credentials for lateral movement highlight the necessity of comprehensive credential management policies. Implementing the principle of least privilege, ensuring the regular rotation of passwords, and monitoring for unusual login activities can help mitigate the risk of credential abuse. Additionally, network segmentation and the use of identity and access management (IAM) tools can limit the potential damage caused by compromised credentials.
In conclusion, defending against APT40 requires a multi-layered approach that includes rigorous patch management, enhanced monitoring for web shell activity, advanced threat detection capabilities, robust MFA implementations, and strong credential management practices. By adopting these measures, organizations can better protect themselves against the sophisticated tactics employed by state-sponsored actors like APT40.
Be immediately notified of new advisories and associated security tests
