By Nathalia Ordonio Magalhaes Palmeira
CISA has released an alert about the APT40 group, which has been active for over 10 years and has already been responsible for several espionage attacks. In this post, I have gathered information on attack methods and mitigation in order to increase the level of protection and detection of possible attacks.
Overview: APT40 Group
APT40 is a group that is located in Haikou, Hainan province, People's Republic of China, and has been active since at least 2009 in support of China's naval modernization effort. It targets government organizations, companies and universities in a wide range of industries, including biomedical, robotics and maritime research - in the United States, Canada, Europe, the Middle East and the South China Sea area, as well as industries included in China's Belt and Road Initiative.
FireEye believes that APT40 is a state-sponsored Chinese cyber espionage operation, as the group's targets are consistent with Chinese state interests and there are several technical artifacts indicating that the group is based in China. Analysis of the operational times of the group's activities indicates that it is probably centered on China Standard Time (UTC +8). In addition, several APT40 command and control (C2) domains were initially registered by China-based domain resellers and had Whois records with location information in China, suggesting a China-based infrastructure acquisition process.
In addition, APT40 also used various IP addresses located in China to conduct its operations. In one case, a log file retrieved from an open indexed server revealed that an IP address 112.66.188.28 located in Hainan, China, had been used to administer the command and control that was communicating with malware on the victims' machines. All the logins for this C2 came from computers configured with Chinese language settings.
Additionally, a group calling itself Intrusion Truth, a group that carries out doxing¹ of Chinese hackers, published information on its blog that denotes the group's origin in Hainan. According to them, "APT groups in China have a common project: hired hackers and specialists, front companies and an intelligence officer. We know that several areas of China each have their own APT." They claim to have identified 13 different (front) companies with identical job ads, contact details, office locations, recruiting people with offensive hacking skills. "Although it was difficult to find people working for these companies, we identified several individuals and concluded that this network of companies was actually APT40," the group reveal.
On July 19, 2021, the US Department of Justice published an indictment against four individuals who the country believes are part of APT40. According to the document, the group used anonymizing services, such as The Onion Router(TOR), to access malware on victims' networks and manage their infrastructure, including servers, domains and email accounts. The group also tried to obscure its hacking activities through other services. For example, the group used GitHub to store malware and stolen data, which was hidden using steganography. It also used Dropbox Application Programming Interface (API) keys in commands to upload stolen data directly to Dropbox accounts controlled by the group, to make it appear to network defenders that such data exfiltration was a legitimate use of the Dropbox service by an employee.
- ¹doxing: is the action of revealing information that identifies someone on the Internet, such as real name, addresses, telephone numbers, financial data and other
information. This information is then made publicly available on the Internet, for general knowledge and without any authorization from the victim.
Initial commitment
APT40 has been observed using a variety of techniques for initial compromise, including web server exploitation, phishing campaigns, etc. phishing delivering customized and publicly available backdoors and strategic compromises.
In phishing attacks, the group usually poses as an individual who is likely to be of interest to the victim in order to send infected emails. This includes posing as a journalist, an individual from a trade publication, someone from a military organization or a relevant non-governmental organization (NGO). In some cases, the group has used previously compromised email addresses to send spear-phishing emails, which usually use malicious attachments, although Google Drive links have also been reported. The group also makes use of exploits in its phishing operations, often taking advantage of vulnerabilities within days of their disclosure.
APT40 has been observed using at least malware from 51 different code families. Of these, 37 are non-public. At least seven of these non-public tools (BADSIGN, FIELDGOAL, FINDLOCK, PHOTO, SCANBOX, SOGU and WIDETONE) are shared with other groups suspected of a connection to China.
Establishment of continuous access
APT40 uses a variety of malware and tools to establish its access, many of which are publicly available or used by other threat groups. In some cases, the group has used executables with code-signing certificates to avoid detection.
- Backdoors are used in the first stage, such as AIRBREAK, FRESHAIR and BEACON, and are used before downloading other pyaloads;
- PHOTO, BADFLICK and CHINA CHOPPER are among the most frequently observed backdoors used by APT40;
- The group often targets VPN and remote desktop credentials to establish a secure position on the victim's system.
Escalation of Privileges
APT40 uses a combination of custom and publicly available credential harvesting tools to escalate privileges and obtain password hashes. The group also uses custom credential-stealing utilities, such as HOMEFRY, a password dumper/cracker used in conjunction with the AIRBREAK and BADFLICK backdoors. In addition, the Windows Sysinternals ProcDump utility and Windows Credential Editor (WCE) are also believed to be used during intrusions.
Internal Recognition
The use of compromised credentials to log in to other systems is part of carrying out reconnaissance. The group also takes advantage of RDP, SSH and legitimate software present in the victim's environment, a variety of native Windows features, publicly available tools, as well as customized scripts to facilitate internal reconnaissance are also present at this stage.
- APT40 used MURKYSHELL in an organization to scan IP addresses and conduct network enumeration;
- APT40 often uses native Windows commands, such as exe, to perform internal reconnaissance of the victim's environment;
- Web shells are widely used at almost every stage of the attack lifecycle. Internal web servers are often not configured with the same security controls as public-facing external servers, making them more vulnerable to exploitation by groups like APT40, which attack in a similar way.
Lateral movement
APT40 uses many methods for lateral movement in an environment, including custom scripts, web shells and tunneling tools such as Remote Desktop Protocol (RDP). For each new compromised system, the group usually executes malware, performs additional reconnaissance and steals data.
- They also use native Windows utilities such as exe (a task scheduler) and net.exe (a network resource management tool) for lateral movement;
- Although MURKYTOP is primarily a command line recognition tool, it can also be used for lateral movement;
- APT40 also uses publicly available brute force tools and a customized utility called DISHCLOTH to attack different protocols and services.
Attendance Guarantee
APT40 mainly uses backdoors, including web shells, to maintain a presence within the victim's environment. These tools allow continuous control of the main systems on the target network.
- APT40 strongly prefers web shells to maintain a presence, especially publicly available tools;
- The tools used during the "Establishment of continuous access" phase also continue to be used in the present phase; this includes AIRBREAK and PHOTO;
- Some malware tools used by the group can evade typical detection, taking advantage of legitimate sites such as GitHub, Google and Pastebin for initial C2 communications;
- The common TCP ports 80 and 443 are used to mix with routine network traffic.
Interests
As the main interest of the attack is the collection of information, the final phase of the attack can involve the transfer of files through various systems until they reach their final destination. APT40 was observed compressing files acquired from victims' networks and using the rar.exe tool to compress and encrypt the data before exfiltration. It has also been reported using a tool developed by APT40 itself, such as PAPERPUSH, to help make the data theft more effective.
Information on the APT40 ATT&CK Tactics and Techniques MITRE ATT&CK® framework can be found here.
Mitigation
To help protect and defend corporate networks and to help security professionals identify and remedy APT40 intrusions, the Federal Bureau of Investigation(FBI) and the Cybersecurity and Infrastructure Security Agency(CISA) recommend the following practices in their advisory:
Network - Defense in Depth
Adequate network defense in depth and adherence to information security best practices can help mitigate the threat and reduce the risk.
Patch and vulnerability management
- Install vendor-supplied and verified patches on all systems for critical vulnerabilities, prioritizing patches of Internet-connected servers and Internet data processing software - such as web browsers, browser plug-ins and document readers;
- Ensure that appropriate migration steps or compensation controls are implemented for vulnerabilities that cannot be corrected in a timely manner;
- Keep antivirus signatures and mechanisms up to date;
- Routinely audit configuration and patch management programs to ensure the ability to track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hinder the sophisticated operations of cyber threat actors and protect information resources and systems.
Protecting credentials
- Strengthen credential requirements, regularly change passwords and implement multi-factor authentication to protect individual accounts, especially for webmail and VPN access and for accounts that access critical systems. Do not reuse passwords for multiple accounts;
- Audit all remote authentications from trusted networks or service providers. Detect incompatibilities by correlating credentials used on internal networks with those used on external systems;
- Log the use of system administrator commands such as net, ipconfig and ping;
- Apply the principle of least privilege.
Hygiene and network monitoring
- Actively scan and monitor Internet-accessible applications for unauthorized access, modification and anomalous activity;
- Actively monitor server disk usage and audit for significant changes;
- Log DNS queries and consider blocking all outgoing DNS requests that do not originate from approved DNS servers. Monitor DNS queries for C2 over DNS;
- Develop and monitor network and system baselines to enable identification of anomalous activity. Audit logs for suspicious behavior;
- Identify and suspend the access of users who display unusual activity;
- Use whitelisting or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps an administratively privileged share on a Windows system;
- Use multi-source threat reputation services for files, DNS, URLs, IP addresses and e-mail addresses;
- Network device management interfaces - such as Telnet, Secure Shell (SSH), Winbox and HTTP - should be turned off for wide area network (WAN) interfaces and protected with strong passwords and encryption when enabled;
- When possible, segment critical information in air-gapp systems. Use strict access control measures for critical data.
IOCs - Indicators of Commitment
Domains
MD5 Malware Hashes
Warning: To discover malicious activity, incident response analysts look for indicators of compromise (IOCs) in network and host-based artifacts and evaluate the results - eliminating false positives during the evaluation. For example, some MD5 IOCs in the table below identify legitimate tools - such as PuTTY, cmd.exe, svchost.exe, etc. - as indicators of compromise. Although the tools themselves are not malicious, the APT40 attackers placed and used them in non-standard folders on the victims' systems during the computer intrusion activity. If a legitimate tool is identified by an incident responder, the location of the tool should be evaluated to eliminate false positives or uncover malicious activity.
Conclusion
Although APT40 has focused on countries that are strategically important to China's Belt and Road Initiative, including Cambodia, Belgium, Germany, Hong Kong, the Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States and the United Kingdom, in 2018 Recorded Future mentioned in a study on the group, a door scan and investigation of government departments and networks of commercial entities in Mongolia, Kenya and Brazil. Each of these countries is an important investment destination as part of the Chinese Initiative.
This initiative is one of President Xi Jinping's most ambitious projects, building an infrastructure connecting countries in Southeast Asia, Central Asia, the Middle East, Europe and Africa, which is why the project is considered strategic by almost all intelligence agencies and is defined by FireEye as a "driver of regional cyber threat activity".
As China has been a trading partner of Brazil, it is important and necessary to understand groups like APT40 that could possibly target Brazil in future attacks.
References
- https://attack.mitre.org/groups/G0065/
- https://us-cert.cisa.gov/ncas/alerts/aa21-200a
- https://us-cert.cisa.gov/ncas/alerts/aa20-275a
- https://go.recordedfuture.com/hubfs/reports/cta-2018-0816.pdf
- https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu/
- https://www.fireeye.com/current-threats/apt-groups.html#apt40
- https://www.justice.gov/opa/press-release/file/1412921/download
- https://www.recordedfuture.com/chinese-cyberespionage-operations/
- https://securityaffairs.co/wordpress/75448/apt/bri-cyber-espionage-china.html
- https://securityaffairs.co/wordpress/96364/apt/china-linked-apt40-front-companies.html
- https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html
- https://www.zdnet.com/article/report-chinese-hacking-group-apt40-hides-behind-network-of-front-companies/
- https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company/
- https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion
- https://us-cert.cisa.gov/sites/default/files/publications/CSA_TTPs-of-Indicted-APT40-Actors-Associated-with-China-MSS-Hainan-State-Security-Department.pdf
- https://www.vice.com/en/article/wjka84/intrusion-truth-group-doxing-hackers-chinese-intelligence