Threat Research

People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action | CISA

CISA

Australia and allied partners warn about a PRC MSS‑sponsored group, APT40, actively targeting networks by rapidly weaponizing public vulnerabilities and abusing credentials. The advisory provides two case studies showing web shells, credential access, lateral movement, and data exfiltration, and offers mitigations aligned with the Essential Eight to prevent and remediate intrusions. #APT40 #KryptonitePanda #GINGHAMTYPHOON #Leviathan #BronzeMohawk #Log4J #CVE202144228 #CVE202131207 #CVE202126084 #CVE202134523

Keypoints

  • APT40 is a PRC MSS‑linked threat group that rapidly exploits publicly disclosed vulnerabilities as part of its intrusion flow.
  • The adversary favors exploiting public‑facing infrastructure over phishing and prioritizes obtaining valid credentials for follow‑on access.
  • Web shells are used for early persistence and execution, often alongside tunneling tools to reach internal networks.
  • Two detailed case studies show reconnaissance, credential theft, lateral movement (including SMB), and data exfiltration through compromised devices and file shares.
  • Exfiltration and C2 activities commonly leverage compromised devices (including SOHO devices) and web‑based C2 channels; JWTs and MFA tokens are exfiltrated or intercepted.
  • Remediation emphasizes patching, MFA, network segmentation, least privilege, centralized logging, and the ASD Essential Eight controls.
  • MITRE‑based defense guidance maps observed behaviors to a broad set of ATT&CK techniques to guide detection and mitigation.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of internet‑exposed custom web applications provided an initial point of access for the actor. “Exploiting internet-exposed custom web applications provided an initial point of access for the actor.”
  • [T1078.002] Valid Accounts: Domain Accounts – Compromised credentials were used to log on to systems; “log into the web application using compromised credentials for <firstname.surname>@<organisation domain>”
  • [T1505.003] Server Software Component: Web Shell – Web shells used to establish footholds and enable command execution. “Web shells would have allowed for arbitrary command execution by the actor on the compromised appliances.”
  • [T1572] Protocol Tunneling – Tunneling traffic from attack machines into the organization’s internal networks. “to tunnel traffic from the actor’s attack machines into the organization’s internal networks”
  • [T1584.008] Compromise Infrastructure: Network Devices – Use of compromised devices (including network devices) as C2/redirectors. “Compromise Infrastructure: Network Devices”
  • [T1021.002] Remote Services: SMB Shares – Lateral movement by mounting SMB shares from multiple devices. “the actor mounting SMB shares from multiple devices”
  • [T1018] Remote System Discovery – Active Directory querying to map the environment. “query the Active Directory [T1018]”
  • [T1039] Data from Network Shared Drive – Exfiltration via mounting shared drives. “mounting file shares [T1039] from multiple machines”
  • [T1558.003] Kerberoasting – Kerberoasting to obtain valid network credentials. “Kerberoasting attack in order to obtain valid network credentials [T1558.003]”
  • [T1003] OS Credential Dumping – Collection of genuine usernames and passwords. “The group also collected genuine usernames, passwords [T1003]”
  • [T1111] MFA Interception – Intercepting MFA tokens. “Multi-Factor Authentication Interception … captured the value of MFA tokens”
  • [T1528] Steal or Forge JWTs – JWTs captured and used for authentication. “JWTs were captured” and “could have been reused”
  • [T1040] Network Sniffing – Captured JWTs by sniffing network traffic. “Network Sniffing … tcpdump was executed”
  • [T1052] [Note: not used; included as part of context] – Web protocols and C2 channels over HTTPS referenced in the advisory. “[Web Shells] for command and control … over HTTPS using the existing web server on the appliance [T1572]”
  • [T1059] Command and Scripting Interpreter – Unix Shell – Execution via Unix shell on the affected appliance. “Command and Scripting Interpreter: Unix Shell”
  • [T1021.001] Remote Services: Remote Desktop Protocol – Access via RDP and related session hijacking. “Remote Desktop Protocol [T1021.001]”
  • [T1046] Network Service Discovery – Network service discovery via tools like nmap. “network scanning utility nmap was executed”
  • [T1041] Exfiltration: Exfiltration Over C2 Channel – Data exfiltration via C2 channel. “Exfiltration Over C2 Channel [T1041]”
  • [T1563.002] RDP Hijacking – Remote Service session hijacking via RDP. “RDP Hijacking [T1563.002]”
  • [T1505.001] SQL Stored Procedures – Access to internal SQL server via compromised appliance. “SQL Stored Procedures [T1505.001]”

Indicators of Compromise

  • [Hostname] context – HOST1, HOST2, HOST3, and HOST7 (compromised appliance hosts and gateway components used during the intrusion)
  • [File] Log4jHotPatch.jar – script/file created on HOST1 in May 2022
  • [File] /etc/security/opasswd and /etc/shadow – modified on HOST1/HOST3 indicating password changes
  • [Credential] hundreds of username/password pairs – captured from the compromised appliance
  • [JWT] JSON Web Tokens – captured from HOST1 and written to file
  • [MFA Token] MFA tokens – captured from the compromised appliance
  • [IP Address] Known malicious IP addresses – interacted with access gateway host HOST7 in early 2022 (exact addresses not disclosed)
  • [Network Endpoint] 2-ext – endpoint exploited in the DMZ to gain initial access
  • [Domain/Service] Active Directory access – queries and credential use enabled by compromised credentials
  • [C2 Endpoint] Compromised devices used as web proxies and C2 channels – traffic tunneled over HTTPS

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint