Cybersecurity Agencies Reveal Tactics of a Prolific Chinese Hacking Group

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the United States Cybersecurity and Infrastructure Security Agency (CISA) have detailed the activities of APT40, a threat group believed to be sponsored by the People’s Republic of China. Known by various names such as Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk, APT40 has targeted networks in the United States, Australia, and other nations. They exploit vulnerabilities in critical infrastructure, focusing on end-of-life or unmaintained devices and rapidly exploiting zero-day vulnerabilities, including Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-26084), and Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

APT40 employs tactics favored by other Chinese-linked groups, such as Volt Typhoon, utilizing compromised small-office/home-office (SOHO) devices, including end-of-life routers, as operational infrastructure to obscure their malicious activities. These routers, exploited via N-day vulnerabilities, act as last-hop redirectors, blending malicious traffic with legitimate communications to evade detection. The group deploys Java-based web applications with file types like .jsp and .class to maintain persistence through web shells, enabling ongoing control and preparation for further exploitation and data exfiltration. Once APT40 establishes initial access, they employ techniques like Secure Socket Funnelling and Kerberoasting to capture valid credentials, facilitating lateral movement through the network using Remote Desktop Protocol (RDP). This access allows them to extensively map out and manipulate the network, eventually leading to the exfiltration of sensitive data to their command and control (C2) servers. In their final phase, APT40 removes event logs and deploys stealth tools to maintain a hidden presence, underscoring the importance of robust network defenses and timely incident response to mitigate such advanced persistent threats.

Two detailed case studies offer insights into APT40's attack cycle. The first case took place between July and September 2022. The group gained initial access through a web shell installed via a compromised public-facing application to perform host enumeration and deploy additional malicious tools. Using the web shells, they not only conducted extensive mapping of the network environment but also accessed critical network resources like the Active Directory. This access facilitated the exfiltration of substantial volumes of sensitive data, including privileged credentials, which played a pivotal role in their capability to navigate and manipulate the network infrastructure effectively. Throughout this intrusion, APT40 exploited the organization’s "flat structure" and the presence of insecure internally developed software, which they manipulated to perform arbitrary file uploads. Their operations, methodically executed, capitalized on both technical vulnerabilities and operational inefficiencies to maintain persistence and cover their tracks within the compromised network. "Findings from the investigation indicate the organization was likely deliberately targeted by APT40, as opposed to falling victim opportunistically to a publicly known vulnerability," as highlighted by the agencies. The deployment of host-based sensors by September was crucial in providing the visibility needed to trace and mitigate the actor's activities, culminating in effective remediation measures to counter the intrusion.

In the second case from April 2022, detailed by the ASD’s ACSC and CISA, APT40 exploited an organization's remote access login portal. They secured a foothold by deploying web shells on the network's internet-facing server. Through these web shells, APT40 captured hundreds of username-password combinations and multi-factor authentication (MFA) codes, along with JSON Web Tokens (JWTs). These credentials and tokens were vital in facilitating unauthorized access to the organization's internal systems. "The ASD’s ACSC discovered that a malicious actor had exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artefacts related to remote access sessions," reflecting the depth of the intrusion. Following the initial compromise, APT40 escalated their privileges and began to scrape an internal SQL server, increasing the scope and impact of the breach. The collected JWTs and other technical artifacts provided the attackers with the means to mimic legitimate user sessions, enhancing their ability to move laterally within the network and maintain persistent access. Upon discovery, the organization confirmed the legitimacy of the exfiltrated passwords, underscoring the severity of the security breach. "The ASD’s ACSC assesses that the actor may have collected these technical artefacts to hijack or create a remote login session as a legitimate user and access the organization’s internal corporate network using a legitimate user account," further highlighting the sophisticated nature of APT40’s tactics and their focus on maintaining a stealthy presence within the compromised network.

To enhance security measures against APT40, both ASD’s ACSC and CISA advise organizations to promptly apply security patches and ensure robust logging and network segmentation. Key defensive strategies include disabling inactive ports and services, deploying web application firewalls, and adhering strictly to the principle of least privilege. Additionally, it is crucial to implement multi-factor authentication for all remote access points and prioritize the replacement of end-of-life networking devices that are susceptible to exploitation due to a lack of updates.