AdvisoryAdvisoriesCISAAA24-190A

July 9, 2024

People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action

July 9, 2024

What we know so far

The advisory, authored by multiple international cybersecurity agencies, outlines the activities of a PRC state-sponsored cyber group, identified as APT40, targeting networks in various countries including Australia. This group, associated with the PRC Ministry of State Security (MSS), is known for its rapid exploitation of newly disclosed vulnerabilities in widely used software like Log4J, Atlassian Confluence, and Microsoft Exchange.

APT40 prioritizes exploiting vulnerable, public-facing infrastructure and obtaining valid credentials to facilitate further malicious activities. Their techniques include using web shells for persistence, compromising devices like small-office/home-office (SOHO) devices as operational infrastructure, and leveraging these compromised devices to conduct reconnaissance and launch attacks. The group's activities often involve host enumeration, web shell deployment, and lateral movement through networks using legitimate credentials obtained through various means, including exploiting software vulnerabilities.

Case studies detailed in the advisory show that APT40 has successfully compromised networks by exploiting remote access portals and leveraging insecure, internally developed software to upload malicious files. These compromises often result in significant data exfiltration, including sensitive credentials, which enable the group to maintain and regain access even after initial vectors are blocked.

Arrow Right

Schedule a test

Subscribe to advisory alerts

Be immediately notified of new advisories and associated security tests

More advisories