A People’s Republic of China (PRC) state-sponsored cyber group, APT40 – also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk – is continuing in attack mode and cybersecurity agencies across the globe are issuing warnings.

APT 40 has previously targeted organizations in various countries. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (PoCs) for targeting, reconnaissance, and exploitation operations.

APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange to target the infrastructure of the associated vulnerability.

With that in mind, cybersecurity agencies including the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Cybersecurity and Infrastructure Security Agency (CISA), The National Security Agency (NSA), Federal Bureau of Investigation (FBI), United Kingdom’s National Cyber Security Centre (NCSC-UK), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC), and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA) all collaborated on issuing an advisory.

Home Base
APT 40 appears to have its base in Haikou, Hainan Province, China and receives tasking from the PRC MSS, Hainan State Security Department.

Schneider Bold

Additionally, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability. Moreover, the attack group regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. Furthermore, this regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.

APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473).

This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities, according to the advisory.

Tactics, techniques and procedures’ flowchart for APT40 activity.
Source: ASD’s ACSC

APT40 regularly uses web shells for persistence, particularly early in the life cycle of an intrusion. Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to end up observed in all intrusions – regardless of the extent of compromise or further actions taken.

Case Study
In one case study, there was an ASD ACSC investigation into the successful compromise of an organization’s network between July and September 2022.

This investigative report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was by APT40.

In mid-August, the ASD’s ACSC notified the organization of malicious interactions with their network from a likely compromised device used by the group in late August and, with the organization’s consent, ASD’s ACSC deployed host-based sensors to likely affected hosts on the organization’s network. These sensors allowed ASD’s ACSC incident response analysts to undertake a thorough digital forensics investigation. Using available sensor data, ASD’s ACSC analysts successfully mapped the group’s activity and created a detailed timeline of observed events.

From July to August, key actor activity observed by the ASD’s ACSC included:

  • Host enumeration, which enabled an actor to build their own map of the network
  • Web shell use, gave the actor an initial foothold on the network and a capability to execute commands
  • Deployment of other tooling leveraged by the actor for malicious purposes

The investigation uncovered evidence of large amounts of sensitive data accessed and evidence the actors moved laterally through the network.

Network Issues
Much of the compromise was facilitated by the group’s establishment of multiple access vectors into the network, the network having a flat structure, and the use of insecure internally developed software that could be used to arbitrarily upload files.

Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow the actors to regain unauthorized access if the original access vector ended up blocked. There was no additional malicious tooling discovered beyond those on the initially exploited machine; however, a group’s access to legitimate and privileged credentials would negate the need for additional tooling.

Findings from the investigation indicate the organization was likely deliberately targeted by APT40, as opposed to falling victim to a publicly known vulnerability.

Click here for more on the joint advisory.


Pin It on Pinterest

Share This