Cyber Threat Report: 'APT40 Advisory - PRC MSS tradecraft in action'

Report Author Australian Cyber Security Centre
Publication Date 2024-07-23
Original Reporting Source
Attributed to Nation China
Related Intrusion Sets APT40 , Leviathan
Related Threat Actors Chinese Ministry of State Security , Hainan State Security Department
Identified CVEs CVE-2021-31207 , CVE-2021-34473
Victim Sectors National Government

This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed by a People's Republic of China (PRC) state-sponsored cyber group known as APT40. This group has targeted networks in various countries, including Australia and the United States, using advanced techniques to exploit vulnerabilities in widely used software. The advisory highlights the group's ability to rapidly adapt and deploy exploits, emphasizing the ongoing threat they pose to global cybersecurity. APT40's operations often involve exploiting public-facing infrastructure and obtaining valid credentials to maintain persistent access to victim networks. The group has been observed using web shells for persistence and leveraging compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure. The advisory provides detailed examples of APT40's techniques, illustrating their methods of gaining initial access, establishing persistence, and exfiltrating sensitive data from compromised networks. The advisory concludes with recommendations for mitigating the threat posed by APT40, including prompt patching of internet-exposed devices, network segmentation, and implementing comprehensive logging practices. It also emphasizes the importance of adopting the ASD Essential Eight Controls and other cybersecurity best practices to detect and prevent intrusions.

Cyber Threat Graph Context

Explore how this report relates to the wider threat graph

Mitigations to defend against the techniques in this report

Identified MITRE ATT&CK Techniques

ATT&CK ID Title Associated Tactics
T1027.003 Steganography Defense Evasion
T1190 Exploit Public-Facing Application Initial Access
T1047 Windows Management Instrumentation Execution
T1105 Ingress Tool Transfer Command and Control
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1021.006 Windows Remote Management Lateral Movement
T1539 Steal Web Session Cookie Credential Access
T1010 Application Window Discovery Discovery
T1212 Exploitation for Credential Access Credential Access
T1112 Modify Registry Defense Evasion
T1587.003 Digital Certificates Resource Development
T1587.001 Malware Resource Development
T1046 Network Service Discovery Discovery
T1203 Exploitation for Client Execution Execution
T1070.004 File Deletion Defense Evasion
T1041 Exfiltration Over C2 Channel Exfiltration
T1187 Forced Authentication Credential Access
T1090.003 Multi-hop Proxy Command and Control
T1027.002 Software Packing Defense Evasion
T1001.003 Protocol Impersonation Command and Control
T1590.001 Domain Properties Reconnaissance
T1036 Masquerading Defense Evasion
T1222.001 Windows File and Directory Permissions Modification Defense Evasion
T1102.003 One-Way Communication Command and Control
T1087.003 Email Account Discovery
T1583 Acquire Infrastructure Resource Development
T1572 Protocol Tunneling Command and Control
T1074.001 Local Data Staging Collection
T1055.001 Dynamic-link Library Injection Defense Evasion, Privilege Escalation
T1049 System Network Connections Discovery Discovery
T1137.001 Office Template Macros Persistence
T1552.001 Credentials In Files Credential Access
T1135 Network Share Discovery Discovery
T1218.010 Regsvr32 Defense Evasion
T1070.001 Clear Windows Event Logs Defense Evasion
T1055.003 Thread Execution Hijacking Defense Evasion, Privilege Escalation
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1204.002 Malicious File Execution
T1069.002 Domain Groups Discovery
T1555.001 Keychain Credential Access
T1595.002 Vulnerability Scanning Reconnaissance
T1040 Network Sniffing Credential Access, Discovery
T1059.003 Windows Command Shell Execution
T1039 Data from Network Shared Drive Collection
T1027 Obfuscated Files or Information Defense Evasion
T1056.001 Keylogging Collection, Credential Access
T1036.004 Masquerade Task or Service Defense Evasion
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1546.004 Unix Shell Configuration Modification Persistence, Privilege Escalation
T1497.001 System Checks Defense Evasion, Discovery
T1594 Search Victim-Owned Websites Reconnaissance
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
T1550.003 Pass the Ticket Defense Evasion, Lateral Movement
T1111 Multi-Factor Authentication Interception Credential Access
T1057 Process Discovery Discovery
T1071.002 File Transfer Protocols Command and Control
T1090.001 Internal Proxy Command and Control
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1014 Rootkit Defense Evasion
T1555 Credentials from Password Stores Credential Access
T1564.003 Hidden Window Defense Evasion
T1124 System Time Discovery Discovery
T1528 Steal Application Access Token Credential Access
T1592 Gather Victim Host Information Reconnaissance
T1583.001 Domains Resource Development
T1115 Clipboard Data Collection
T1056.003 Web Portal Capture Collection, Credential Access
T1570 Lateral Tool Transfer Lateral Movement
T1589.002 Email Addresses Reconnaissance
T1071.001 Web Protocols Command and Control
T1189 Drive-by Compromise Initial Access
T1496 Resource Hijacking Impact
T1059 Command and Scripting Interpreter Execution
T1562.004 Disable or Modify System Firewall Defense Evasion
T1133 External Remote Services Initial Access, Persistence
T1114 Email Collection Collection
T1083 File and Directory Discovery Discovery
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1560.002 Archive via Library Collection
T1021 Remote Services Lateral Movement
T1036.005 Match Legitimate Name or Location Defense Evasion
T1564.001 Hidden Files and Directories Defense Evasion
T1078.002 Domain Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1059.002 AppleScript Execution
T1140 Deobfuscate/Decode Files or Information Defense Evasion
T1102.001 Dead Drop Resolver Command and Control
T1114.002 Remote Email Collection Collection
T1218.005 Mshta Defense Evasion
T1553.002 Code Signing Defense Evasion
T1588.003 Code Signing Certificates Resource Development
T1202 Indirect Command Execution Defense Evasion
T1110.002 Password Cracking Credential Access
T1087.001 Local Account Discovery
T1566 Phishing Initial Access
T1574.001 DLL Search Order Hijacking Defense Evasion, Persistence, Privilege Escalation
T1584 Compromise Infrastructure Resource Development
T1134.001 Token Impersonation/Theft Defense Evasion, Privilege Escalation
T1059.001 PowerShell Execution
T1588.004 Digital Certificates Resource Development
T1098 Account Manipulation Persistence, Privilege Escalation
T1566.001 Spearphishing Attachment Initial Access
T1072 Software Deployment Tools Execution, Lateral Movement
T1585.003 Cloud Accounts Resource Development
T1106 Native API Execution
T1090 Proxy Command and Control
T1573.002 Asymmetric Cryptography Command and Control
T1016.001 Internet Connection Discovery Discovery
T1587.002 Code Signing Certificates Resource Development
T1555.003 Credentials from Web Browsers Credential Access
T1033 System Owner/User Discovery Discovery
T1078.001 Default Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1505.003 Web Shell Persistence
T1059.005 Visual Basic Execution
T1574.002 DLL Side-Loading Defense Evasion, Persistence, Privilege Escalation
T1571 Non-Standard Port Command and Control
T1074.002 Remote Data Staging Collection
T1586 Compromise Accounts Resource Development
T1489 Service Stop Impact
T1102 Web Service Command and Control
T1592.002 Software Reconnaissance
T1018 Remote System Discovery Discovery
T1005 Data from Local System Collection
T1560 Archive Collected Data Collection
T1003.001 LSASS Memory Credential Access
T1119 Automated Collection Collection
T1053.003 Cron Execution, Persistence, Privilege Escalation
T1567.002 Exfiltration to Cloud Storage Exfiltration
T1562 Impair Defenses Defense Evasion
T1589.001 Credentials Reconnaissance
T1087.002 Domain Account Discovery
T1569.002 Service Execution Execution
T1573 Encrypted Channel Command and Control
T1213 Data from Information Repositories Collection
T1547.009 Shortcut Modification Persistence, Privilege Escalation
T1110.001 Password Guessing Credential Access
T1561 Disk Wipe Impact
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1070.006 Timestomp Defense Evasion
T1007 System Service Discovery Discovery
T1559 Inter-Process Communication Execution
T1482 Domain Trust Discovery Discovery
T1102.002 Bidirectional Communication Command and Control
T1055.012 Process Hollowing Defense Evasion, Privilege Escalation
T1059.006 Python Execution
T1012 Query Registry Discovery
T1059.004 Unix Shell Execution
T1558.003 Kerberoasting Credential Access
T1003.006 DCSync Credential Access
T1082 System Information Discovery Discovery
T1078.003 Local Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1003.003 NTDS Credential Access
T1518 Software Discovery Discovery
T1529 System Shutdown/Reboot Impact
T1021.001 Remote Desktop Protocol Lateral Movement
T1027.004 Compile After Delivery Defense Evasion
T1620 Reflective Code Loading Defense Evasion
T1583.002 DNS Server Resource Development
T1543.003 Windows Service Persistence, Privilege Escalation
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation