On July 8th, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI) along with several international partners issued an urgent advisory outlining a People’s Republic of China (PRC) state-sponsored cyber group targeting Australian and U.S. enterprises. Detailed information about this threat and the associated IOCs and TTPs can be seen on People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action.
This blog will share an overview of the threat and our coverage for this threat actor. As a SafeBreach customer, you will have access to all the attacks listed below and more to validate your organizational security controls against this state-sponsored APT group.
US CERT ALERT AA24-190A(APT40) – What You Should Know
APT40 is a PRC sponsored threat actor that also goes by several other names including Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk. They have previously targeted and attacked organizations in several countries, including Australia and the United States. This group is reported to be based in Haikou, Hainan Province, PRC and receives their malicious tasks from the PRC MSS, Hainan State Security Department.
It is critically important to note that APT40 is known to constantly adapt their methods to exploit newly discovered vulnerabilities to target and exploit their victims. They regularly conduct reconnaissance against networks of interest to identify and compromise vulnerable, end-of-life or no longer maintained devices to gain access to victim networks and deploy their malicious exploits. They have been observed exploiting newly-discovered public vulnerabilities (within days of their public disclosure) in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473).
They are known to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns. They place a high priority on obtaining valid credentials to further enable a range of follow-on activities. They are known to regularly use web shells to ensure persistence.
Technical Details
The authoring agencies have provided two examples of how APT40 targets and attacks their victims. This information was gathered after a thorough investigation into the compromised victim networks.
- Victim 1- This victim was targeted and compromised between July and September 2022. In July 2022, APT40 tested and exploited a custom web application running on <webapp>2-ext, allowing them to setup a foothold in the network demilitarized zone (DMZ). This allowed them to enumerate the network and all visible domains within the network. Compromised credentials were then used to query Active Directory (AD) and exfiltrate data from multiple machines within the DMZ. They also carried out a Kerberoasting attack in order to obtain valid network credentials from a server. They then deployed an open-source tool (Secure Socket Funnelling) to connect to their malicious infrastructure. By September 2022, their activities were discovered by the victim and their IP addresses were blocked to prevent any future access.
- Reconnaissance was performed by searching victim-owned websites to identify compromise opportunities.
- Initial access was gained by exploiting custom public-facing applications and leveraging stolen credentials to further access inside the victim network.
- Execution was performed using a Command and Scripting Interpreter as well as open-source tools like Secure Socket Funnelling (SSF) to connect to malicious IPS.
- Persistence was maintained with the use of a web shell.
- Credential Access was gained through Kerberoasting.
- Lateral Movement was achieved via Remote Services: SMB Shares.
- Data was stolen and Exfiltrated over a pre-established C2 channel.
- Victim 2 – This victim was compromised in April 2022 and investigation revealed that the victim network had been compromised via the organization’s remote access login portal. It is believed that the threat group targeted the server using a widely publicized RCE vulnerability.
- Initial access was gained by exploiting a RCE, privilege escalation, and authentication bypass vulnerabilities in the remote access login and identity management product to gain initial access to the network.
- Threat actors were able to leverage a Unix Shell to run commands on the affected server.
- Persistence was maintained with the use of several web shells on the affected server.
- Privilege Escalation was also achieved via the use of web shells.
- Network Discovery was performed using the scanning utility nmap.
- Web shells were used for command and control and compromised devices were used to launch attacks that were designed to blend in with normal network traffic.
Important Note for SafeBreach Customers – Coverage for US-CERT AA24-190A
As soon as details were made available, the SafeBreach Labs teams added new attacks based on the advisory and mapped existing attacks in the Hacker’s Playbook to these US-CERT alerts immediately. It is important to note that existing SafeBreach customers already had a good level of coverage against BEHAVIORAL tactics leveraged by the APT40 threat group identified in the advisory. Please run/re-run the attacks listed below to ensure your environments are protected against these TTPs.
NEW IOC-Based Playbook Attacks Related to AA24-190A
- #10396 – Write APT40 (79a78f) webshell to disk
- #10397 – Transfer of APT40 (79a78f) webshell over HTTP/S
- #10398 – Transfer of APT40 (79a78f) webshell over HTTP/S
- #10399 – Email APT40 (79a78f) webshell as a compressed attachment
- #10400 – Email APT40 (79a78f) webshell as a compressed attachment
Existing Behavioral Attacks Related to AA24-190A
- #10142- Create port proxy using netsh.exe (host level)
- #9527- In memory credential extraction via MiniDumpWriteDump implemented in DLL (host level)
- #2175- Discover Linux user configurations using Bash (Linux) (host level)
- #2206- Extract Security Packages using PowerShell (host level)
- #6127- Extract LSASS memory dump using Rundll32 (host level)
- #6807- Extract credentials from ntds.dit file using volume shadow copy (host level)
- #7169- Dump the SAM database from the registry (Windows) (host level)
- #7223- NTDS.dit dump using ntdsutil (host level)
- #8303- Pass the ticket (host level)
- #8370- In memory credential extraction via MiniDumpWriteDump (host level)
- #8371- In memory credential extraction via MiniDumpWriteDump and handle hijacking (host level)
- #8372- Credential extraction via Pypykatz (host level)
- #8377- Golden Ticket (host level)
- #9456- Extract SAM credentials from registry (host level)
- #1339- Remote command execution by PSExec (lateral movement)
- #6483- Agentless lateral movement via SMB and RCE, using Token duplication (host level)
- #6550- Agentless lateral movement via SMB and RCE, using Impersonated user (host level)
- #8020- Agentless – Port scanning of local subnet network (host level)
- #8018- Web application port scanning (lateral movement)
- #8019- Port scanning target simulator (lateral movement)
- #8020- Port scanning of local subnet network (host level)
- #1900- Capture network packets using Libpcap (Linux) (host level)
- #1901- Capture network packets using WinPcap (Windows) (host level)
- #1902- Capture network packets using Libpcap (macOS) (host level)
- #2205- Extract NTLM Hashes using Invoke-Kerberoast (PowerShell) (host level)
- #7225- Extracting Active Directory tickets using Kerberoasting (host level)
- #2208- Extract Credentials using Get-GPPPassword (PowerShell) (host level)
- #3819- Windows Credentials Collection using LaZagne (host level)
- #810- Linux – Credentials collector (host level)
- #228- R57 Run Shell Command (lateral movement)
- #232- WSO2 Webshell- Execute Whoami command (lateral movement)
- #264- Remote Control using Meterpreter to Execute File Commands (lateral movement)
- #6861- Remote exploitation of Apache Log4j vulnerability CVE-2021-44228 (infiltration)
- #6473- Agentless lateral movement via RDP (host level)
- #6996- Steal Web Session Cookie (Windows) (host level)
- #6997- Steal Web Session Cookie (Linux) (host level)
- #6998- Steal Web Session Cookie (Mac) (host level)
- #6909- RDP Connection Between 2 Simulators (lateral movement)
- #6910- RDP Tunneling (host level)
What You Should Do Now
SafeBreach customers can now validate their security controls against these TTPs in multiple ways.
Method 1 – You can go to the “SafeBreach Scenarios” page and choose the AA24-190A (APT40) scenario from the list of available scenarios
Method 2 – From the Attack Playbook, select and filter attacks related to US-CERT Alert AA24-190A (APT40). Additionally, you can refer to the list above as well to ensure a comprehensive level of coverage.
Method 3 – From the Known Attack Series report, select the US-CERT Alert AA24-190A (APT40) report and select Run Simulations, which will run all attack methods.
NOTE – FBI, CISA, and their international partners recommend continually validating your security program, at scale, in a production environment to ensure optimal performance against growing threat of advanced cyber threats. Additional recommendations can be seen in the advisory (linked below):
- Review and implement guidance on Windows Event Logging and Forwarding including the configuration files and scripts in the Windows Event Logging Repository and the Information Security Manual’s Guidelines for System Monitoring, to include centralizing logs and retaining logs for a suitable period.
- Promptly patch all internet exposed devices and services, including web servers, web applications, and remote access gateways.
- Segment networks to limit or block lateral movement by denying traffic between computers unless required.
- Disable unused or unnecessary network services, ports and protocols.
- Use well-tuned Web application firewalls (WAFs) to protect webservers and applications.
- Enforce least privilege to limit access to servers, file shares, and other resources.
- For additional recommendations, please review the advisory in detail.