Partner Report – Advisory on PRC State-Sponsored Group (APT 40) Emphasizes Importance of Patching

In a notification published today, CISA has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) to release an advisory, People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action (AA24-190A) outlining a PRC state-sponsored cyber group’s activity. The advisory is based on current ACSC-led incident response investigations and shared understanding of a PRC state-sponsored cyber group, APT40—also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk. The advisory is based on two case studies to help cybersecurity practitioners identify, prevent and remediate APT40 intrusions against their own networks. As such, the case studies are naturally older in nature, to ensure organizations were given the necessary time to remediate.

According to the advisory, APT40 largely focuses on compromising IT infrastructure. Additionally, APT40 tradecraft emphasizes the importance of patching, including older vulnerabilities.

• This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction.
• APT40 regularly uses web shells for persistence, particularly early in the life cycle of an intrusion.
• Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment.
• Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability.
• Regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits.
  • APT40 continues to find success exploiting vulnerabilities from as early as 2017.
  • APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473).

CISA urges all organizations and software manufacturers to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers.

For more information on PRC state-sponsored threat actor activity, see CISA’s People’s Republic of China Cyber Threat. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.