ASD releases advisory on PRC state-sponsored threat group

In collaboration with international partners, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has released a new joint advisory on the People’s Republic of China (PRC) state-sponsored cyber group APT40 and the current threat it poses to Australian networks.

According to ASD, APT40 is actively conducting regular reconnaissance against networks of interest in Australia, looking for opportunities to compromise its targets. The group uses compromised devices, including small-office/home-office (SOHO) devices, to launch attacks that blend in with legitimate traffic, challenging network defenders.

APT40 continues to find success exploiting vulnerabilities in end-of-life or no longer maintained devices on networks of interest and systems that are poorly maintained and unpatched.

The advisory is co-authored by ASD/ACSC and multiple agencies in the US, UK, Canada, New Zealand, Germany, South Korea and Japan.

According to the advisory, APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing. The tradecraft described in this advisory is regularly observed against Australian networks.

It says that APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) of new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance positions the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.

Examples of exploits include newly public vulnerabilities in widely used software such as Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.

Organisations are encouraged to implement the ASD Essential Eight mitigation strategies, as well as relevant additional mitigations from ACSC’s Strategies to Mitigate Cyber Security Incidents guidance.

To find out more about APT40, read the full advisory here.

Image credit: iStock.com/mirsad sarajlic