ASD hack forensics underpin global APT40 threat warning – Security
Australian investigations into the breach of two organisations in 2022 form the basis of an international advisory on APT40, a state-sponsored threat group linked to China.
A lengthy advisory published on Tuesday states that APT40 has “repeatedly targeted Australian networks as well as government and private sector networks in the region”.
The Australian Signals Directorate (ASD) said the group typically makes use of proof-of-concepts for vulnerabilities in “widely used software”, including Log4j, Atlassian Confluence and Microsoft Exchange – “within hours or days of public release”.
It also uses web shells to establish persistence in a target’s environment and has been observed to target credentials for exfiltration.
ASD said it had observed improvements in the group’s tradecraft over time, initially using compromised Australian websites for command and control, before branching out to compromised small-office/home-office (SOHO) devices.
“Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation,” ASD said.
“Once compromised, SOHO devices offer a launching point for attacks to blend in with legitimate traffic and challenge network defenders.”
ASD provided two anonymised case studies of breaches it had been called in to investigate, that it had attributed to the work of APT40.
One of the breached organisations was “likely deliberately targeted by a state-sponsored cyber actor”, ASD said.
The investigation “uncovered evidence of large amounts of sensitive data being accessed and evidence that the actor moved laterally through the network.”
“Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow an actor to regain unauthorised access if the original access vector was blocked,” ASD said.
In a second case study, the hackers compromised an internet-facing server “which provided the login portal for the organisation’s corporate remote access solution”, exploiting a remote code execution (RCE) vulnerability that was widely publicised around the time of the compromise.”
ASD said that the Australian Cyber Security Centre found “a malicious actor had exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artefacts related to remote access sessions.”
The advisory is co-signed by cyber security and policing authorities from across the globe, including in the US, UK, Canada, New Zealand, Germany, Korea and Japan.