China's APT40 Gang Can Attack New Vulns Within Hours
Arthur T Knackerbracket has processed the following story:
Law enforcement agencies from eight nations, led by Australia, have issued an advisory that details the tradecraft used by China-aligned threat actor APT40 - aka Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk - and found it prioritizes developing exploits for newly found vulnerabilities and can target them within hours.
The advisory describes APT40 as a "state-sponsored cyber group" and the People's Republic of China (PRC) as that sponsor. The agencies that authored the advisory - which come from Australia, the US, Canada, New Zealand, Japan, South Korea, the UK, and Germany - believe APT40 "conducts malicious cyber operations for the PRC Ministry of State Security (MSS)."
[...] The advisory is the result, and suggests that APT40 "possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability." The gang also watches networks of interest to look for unpatched targets.
"This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits," the advisory warns.
Those efforts yield results, because some systems have not been patched for problems identified as long ago as 2017. Some of the vulns APT40 targets are old news - Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084). and Microsoft Exchange (CVE-2021-31207, CVE 2021-34523, CVE-2021-34473) are high on the hit list.
[...] "APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors for its operations in Australia," the advisory observes. "Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation."
[...] The advisory outlines mitigation tactics that are said to offer decent defences against APT40. They're not rocket science: logging, patch management, and network segmentation are all listed.
So are multifactor authentication, disabling unused network services, use of web application firewalls, least privilege access, and replacement of end-of-life equipment.
Read more of this story at SoylentNews.