A state-sponsored cyberespionage group from China is attacking networks in the United States and China by very quickly adopting proof-of-concept (POC) exploits of vulnerabilities in popular software, according to an alert issued by cybersecurity agencies in those countries and others this week.

The advanced persistent threat group, APT40 – also known as Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk – is evolving some of its techniques as it targets networks in Australia and the region, with the alert noting attacks in other countries as well.

The notification was written by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) as well as CISA, the FBI, and National Security Agency (NSA), and the UK’s National Cyber Security Centre. Agencies from other countries, including Canada, Germany, South Korea, and New Zealand also contributed.

APT40, which the agencies said is support by the Ministry of State Security of People’s Republic of China (PRC), has rapidly exploited vulnerabilities that were made newly public in such software as Microsoft Exchange (CVE-2021-31027, CVE-2021-34523, and CVE-2021-34473), Atlassian’s Confluence web-based corporate wiki (CVE-2021-31207 and CVE-2021-26084) and Log4j (CVE-2021-44228), with the vulnerability discovered in 2021 that gave hackers control of devices running unpatched versions the ubiquitous logging tool.

Vulnerabilities Rather Than Phishing

APT40 “appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities,” the agencies wrote in the alert. “APT40 regularly uses web shells for persistence, particularly early in the life cycle of an intrusion.”

In addition, the group “typically, after successful initial access … focuses on establishing persistence to maintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions – regardless of the extent of compromise or further actions taken.”

APT40 in the past had used compromised websites in Australia as command-and-control (C2) sites, but more recently has adopted a global trend among Chinese-linked groups and other bad actors of using compromised devices like small-office and home office (SOHO) systems for its infrastructure and last-hop redirectors, which enables security agencies around the world to better track the group’s movement.

“Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation,” they wrote. “Once compromised, SOHO devices offer a launching point for attacks that is designed to blend in with legitimate traffic and challenge network defenders. This technique is also regularly used by other PRC state-sponsored actors worldwide, and the authoring agencies consider this to be a shared threat.”

Tactics Include Web Shells, RDP

The agencies wrote that after the initial exploitation of the software and the use of web shells for persistence, the threat actors use such remote services like Remote Desktop Protocol (RDP) and SMB/Windows Share to move laterally through infected networks. They then use the C2 infrastructure to exfiltrate information and cover their activities by removing indicators, obfuscating files, and impairing defenses.

“APT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations; however, this tradecraft appears to be in relative decline,” the agencies wrote.

The ASD’s ACSC also outlined two APT40 attacks on organizations in Australia in 2022, outlining the agency’s investigation of the group’s tactics.

Don’t Forget Volt Typhoon

The alert mirrors a similar one in February from U.S. and international agencies about Volt Typhoon, another PRC-supported group that CISA warned had already compromised the networks of critical infrastructure entities in the country, essentially prepositioning themselves to disrupt or destroy operations in case of increased geopolitical tensions or a war between the United States and China. Some of the networks had been compromised five years earlier.

“Both groups exhibit highly sophisticated attack methods, yet their objectives differ,” said Chris Grove, director of cybersecurity strategy at industrial security firm Nozomi Networks. APT40 primarily engages in espionage, whereas Volt Typhoon focuses on potential sabotage of critical infrastructure. Both groups employ ‘living off the land’ techniques, which utilize legitimate system tools to blend in and evade detection, complicating the defense setup and making detection more challenging.”

The approach “necessitates hands-on involvement from the attackers, who manually breach defenses rather than relying solely on automated tools,” Grove said.

The Need for Patch Speed

How quickly APT40 exploits new vulnerabilities also is a concern and heightens the need for security teams to quickly patch their software, according to Tal Mandel Bar, product manager at software-as-a-service (SaaS) platform maker DoControl.

“The focus on public-facing infrastructure is interesting,” Bar said. “It shows they’re looking for the path of least resistance. Why bother with elaborate phishing campaigns when you can just hit exposed vulnerabilities directly? For security teams, this really emphasizes the importance of rapid patching, especially for internet-facing systems. You can’t afford to drag your feet when APT40 could be exploiting a new vulnerability within hours.”

It also illustrates the need for organizations to monitor their external attack surface, finding what is exposed and locking it down, he said.