09 July 2024NewsroomCyber ​​Espionage / Threat Intelligence

Cyber ​​security

Cyber ​​security agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the United Kingdom and the United States have issued a joint advisory on a China-linked cyber espionage group. APT 40warning about the ability to share exploits for newly disclosed security flaws within hours or days of public release.

“APT 40 has previously targeted organizations in various countries, including Australia and the United States,” the agencies said. said. “Notably, APT 40 is capable of rapidly changing and adapting proof-of-concepts (PoCs) of vulnerability for targeting, espionage and exploitation operations.”

The antagonistic group, also known as Bronze Mohawk, Gingham Typhoon (formerly Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, has been known to be active since at least 2013. Goes, which is targeting cyber attacks. In the Asia-Pacific region it is estimated based on haiku.

Cyber ​​security

In July 2021, the US and its allies Officially attributed The group, which is affiliated with China’s Ministry of State Security (MSS), accused several members of a hacking crew of running a multi-year campaign aimed at stealing trade secrets, intellectual property and high-value information across a variety of sectors. I had to facilitate.

Over the past few years, APT40 has been linked to waves of intrusions. Scanbox Touhy Framework As well as exploiting security flaws WinRAR (CVE-2023-38831, CVSS Score: 7.8) to deliver a backdoor dubbed BOXRAT as part of a phishing campaign targeting Papua New Guinea.

Then earlier this March the New Zealand Govt Involved Actors threaten to compromise Parliamentary Counsel Office and Parliamentary Service in 2021.

“APT40 identifies new exploits within widely used public software such as Log4j, Atlassian Confluence, and Microsoft Exchange to target relevant vulnerability infrastructure.”

APT40 linked to China

“APT40 conducts regular reconnaissance against networks of interest, including networks in the countries of authorizing agencies, looking for opportunities to compromise its targets. This regular reconnaissance is aimed at weakening, ending the life of, or further sustaining the group. is in a position to identify devices of interest, and rapidly deploy exploits.”

Notable tradecraft used by state-sponsored hacking crews is the deployment of web shells to establish persistence and maintain access to the victim’s environment, as well as for command and control (C2) purposes. Use of Australian websites.

Cyber ​​security

It has also been seen to include outdated or unpatched devices, including small-office/home-office (SOHO) routers, as part of its attack infrastructure to reroute malicious traffic and In an attempt to avoid detection, Operational style which is similar to that used by other groups based in China. Volt Typhoon.

Attack chains further include espionage, privilege escalation, and credential theft and extraction of information of interest using Remote Desktop Protocol (RDP).

To mitigate the risks posed by such threats, implement appropriate logging mechanisms, implement multi-factor authentication (MFA), implement a robust patch management system, replace end-of-life devices, It is recommended to disable services, ports and protocols. and partition networks to prevent access to sensitive data.

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.

Source link