Search This Blog

Popular Posts

Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label APT40. Show all posts
SamCERT
APT40 Chinese Hacker Cyber Attacks Malicious Campaign SamCERT

China-backed APT40 Hacking Outfit Implicated for Samoa Cyberattacks

 

Samoa's national cybersecurity office issued an urgent advisory after the Chinese state-sponsored cyber outfit APT40 escalated its attacks on government and critical infrastructure networks across the Pacific. 

Samoa's Computer Emergency Response Team, or SamCERT, has warned that APT40 is using fileless malware and modified commodity malware to attack and persist within networks without being detected. 

The majority of Chinese nation-state activity has focused on Southeast Asia and Western nations, but the advisory, based on SamCERT investigations and intelligence from partner nations, warned of digital spying threats posed by the outfit's prolonged presence within targeted networks in the Blue Pacific region, which includes thousands of islands in the vast central Pacific Ocean. 

"It is essential to note that throughout our investigations we have observed the threat actor pre-positioning themselves in the networks for long periods of time and remaining undetected before conducting exfiltration activity," SamCERT noted. "This activity is sophisticated.” 

In August 2023, China-aligned APT40, also known as IslandDreams on Google, launched a phishing attack aimed at victims in Papua New Guinea. The emails had multiple attachments, including an exploit, a password-protected fake PDF that could not be read, and an.lnk file. The.lnk file was created to execute a malicious.dll payload from either a hard-coded IP address or a file-sharing website. 

The final stage of the assault attempts to install BoxRat, an in-memory backdoor for.NET that connects to the attackers' botnet command-and-control network via the Dropbox API. 

APT40, which was previously linked to operations in the United States and Australia, has moved its attention to Pacific island nations, where it employs advanced tactics such as DLL side-loading, registry alterations, and memory-based malware execution. The group's methods also include using modified reverse proxies to gather sensitive data while concealing command-and-control communications. 

SamCERT's findings indicate that APT40 gains long-term access to networks, executing reconnaissance and data theft operations over extended periods. The outfit relies on lateral movement across networks, often using legitimate administrative tools to bypass security measures and maintain control. 

The agency recommends organisations to use methodical threat hunting, enable complete logging, and assess incident response procedures. It further recommends that endpoints and firewalls be patched immediately to close the vulnerabilities exploited by APT40.
Read more »
Five Eye
APT40 Chinese Hackers Cyber Crime cyber espionage Five Eye

Chinese APT40 Attackers Exploit SOHO Routers to Launch Attacks

 

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the United Kingdom, and the United States have issued a joint advisory about APT40, a China-linked cyber espionage group, warning regarding its ability to co-opt exploits for newly disclosed security vulnerabilities within hours or days of public release.

"APT40 has previously targeted organizations in various countries, including Australia and the United States," the agencies noted. "Notably, APT40 possesses the ability to quickly transform and adapt vulnerability proofs-of-concept (PoCs) for targeting, reconnaissance, and exploitation operations.” 

The threat group, also known as Bronze Mohawk, Gingham Typhoon (previously Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, has been active since at least 2011, carrying out cyber attacks against companies in the Asia Pacific region. It is believed to be based in Haikou.

In July 2021, the US and its allies officially identified the group as being linked to China's Ministry of State Security (MSS), indicting several members of the hacking crew for orchestrating a multiyear campaign aimed at various sectors to facilitate the theft of trade secrets, intellectual property, and high-value information. 

Over the last few years, APT40 has been linked to intrusion waves that distribute the ScanBox reconnaissance framework, as well as the exploitation of a security vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8) as part of a phishing effort targeting Papua New Guinea to deliver a backdoor known as BOXRAT. Then, earlier this March, the New Zealand government implicated the threat actor in the 2021 deal between the Parliamentary Counsel Office and the Parliamentary Service.

The group has also been observed using out-of-date or unpatched devices, such as small-office/home-office (SOHO) routers, as part of its attack infrastructure in an attempt to reroute malicious traffic and avoid detection, a strategy similar to that used by other China-based groups such as Volt Typhoon.

According to Google-owned Mandiant, this is part of a larger shift in Chinese cyber espionage activity that aims to prioritise stealth by increasingly weaponizing network edge devices, operational relay box (ORB) networks, and living-off-the-land (LotL) techniques to avoid detection. 

Attack chains also include reconnaissance, privilege escalation, and lateral movement actions that use the remote desktop protocol (RDP) to steal credentials and exfiltrate sensitive information. To reduce the risks posed by such threats, organisations should maintain adequate logging mechanisms, enforce multi-factor authentication (MFA), implement an effective patch management system, replace obsolete equipment, disable unused services, ports, and protocols, and segment networks to prevent access to sensitive data.
Read more »
Subscribe to: Posts (Atom)