In a recent advisory, close allies of the United States have highlighted the significant threat posed by the Chinese state-sponsored hacking group APT40. This group has been actively targeting end-of-life devices, exploiting new vulnerabilities almost immediately after they become public. The joint advisory, issued on July 8, included contributions from security agencies in the United States, Australia, Canada, Germany, Japan, New Zealand, South Korea, and the United Kingdom.
The Persistent Threat of APT40
APT40, also known as TEMP.Periscope, has been on the radar since at least 2017. This group has demonstrated a remarkable ability to quickly transform proof-of-concept (PoC) code for new vulnerabilities into weaponized exploits. Their primary targets are networks with end-of-life devices, which are often more susceptible to attacks due to outdated security measures.
The group has exploited vulnerabilities in widely used software such as Log4j (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084), and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). The speed at which APT40 leverages these vulnerabilities poses a significant challenge for security teams worldwide.
Focus on Public-Facing Infrastructure
APT40 tends to prioritize exploiting vulnerable, public-facing infrastructure rather than relying on techniques that require user interaction, such as phishing campaigns. By obtaining valid credentials, they can conduct a wide range of follow-on activities. Tal Mandel Bar, product manager at DoControl, noted that APT40's strategy of targeting exposed vulnerabilities directly puts immense pressure on security teams to patch systems quickly.
"APT40's speed in exploiting new vulnerabilities is definitely concerning," Bar said. "They're essentially weaponizing PoC code almost as fast as it's published. This puts a lot of pressure on security teams to patch quickly."
Importance of Rapid Patching and Security Measures
The advisory underscores the critical importance of rapid patching, especially for internet-facing systems. Darren Guccione, co-founder and CEO at Keeper Security, emphasized the need for multi-factor authentication and regular audits of privileged accounts to counter APT40’s focus on compromised credentials.
"Teams also need to apply network segmentation and continuous monitoring, which will aid in catching intrusions early," Guccione added. "Additionally, having a solid incident response plan in place and running regular drills can keep teams prepared for cyber threats."
Organizations must regularly update their software and apply patches as soon as vulnerabilities are made public. Devices that are no longer maintained or cannot be patched quickly should be taken offline to mitigate the risk of exploitation.
The advisory from international security agencies serves as a stark reminder of the persistent and evolving threat posed by APT40. The group's ability to rapidly exploit new vulnerabilities and focus on end-of-life devices highlights the need for robust security measures, rapid patching, and continuous monitoring. By staying vigilant and proactive, organizations can better defend against the sophisticated attacks orchestrated by APT40 and other state-sponsored groups.
By implementing these security best practices, organizations can protect themselves from the relentless threat posed by APT40 and ensure their systems remain secure against emerging vulnerabilities.
