Kryptonite Panda hackers

A joint advisory from international cybersecurity agencies and law enforcement warns of the tactics used by the Chinese state-sponsored APT 40 hacking group and their hijacking of SOHO routers to launch cyberespionage attacks.

APT 40, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk, has been active since at least 2011, targeting government organizations and key private entities in the US and Australia.

Previously, APT40 was linked to a wave of attacks targeting over 250,000 Microsoft Exchange servers using the ProxyLogon vulnerabilities and campaigns involving exploiting flaws in widely used software, such as WinRAR.

APT40 activity overview

As cybersecurity authorities and government agencies from Australia, the United States, the United Kingdom, Canada, New Zealand, Germany, Korea, and Japan said, APT40 exploits vulnerabilities in public-facing infrastructure and edge networking devices instead of human interaction, such as phishing emails and social engineering.

The threat actors are known to rapidly exploit new vulnerabilities as they are publicly disclosed, with the advisory pointing out flaws in Log4J, Atlassian Confluence, and Microsoft Exchange as examples.

"Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability," reads the joint advisory authored by Australia's ACSC.

"APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies' countries, looking for opportunities to compromise its targets."

After breaching a server or networking device, the Chinese hackers deploy web shells for persistence using Secure Socket Funnelling and then use valid credentials captured via Kerberoasting along with RDP for lateral movement through a network.

Of particular interest, the threat actors commonly breach end of life small-office/home-office (SOHO) routers using N-day vulnerabilities and hijack them to act as operational infrastructure. These hijacked devices act as network proxies used by APT40 to launch attacks while blending in with legitimate traffic originating from the hijacked router.

Other Chinese APT groups are also known to utilize operational relay box (ORBs) networks, which are made up of hijacked EoL routers and IoT devices. These proxy meshes are administered by independent cybercriminals that provide access to multiple state-sponsored actors (APTs) for proxying malicious traffic.

In the final phase of cyberespionage attacks, APT40 accesses SMB shares and exfiltrates data to a command and control (C2) server while removing event logs and deploying software to maintain a stealthy presence on the breached network.

APT40 activity overview
APT40 attacks overview
Source: CISA

Case studies

The advisory contains two case studies from 2022, which serve as good examples to highlight APT40's tactics and procedures.

In the first case, spanning July to September 2022, APT40 exploited a custom web application to establish a foothold in an Australian organization's network.

Using web shells, they conducted network reconnaissance, accessed the Active Directory, and exfiltrated sensitive data, including privileged credentials.

Timeline of first case study
Timeline of first attack case study
Source: CISA

The second case study concerns an incident that occurred between April and May 2022, when APT40 compromised an organization by exploiting RCE flaws on a remote access login portal.

They deployed web shells, captured hundreds of username-password pairs, MFA codes, and JSON Web Tokens (JWTs), and eventually escalated their privileges to scrape an internal SQL server.

Detecting and mitigating attacks

The advisory provides a series of recommendations to mitigate and defend against APT40 and similar state-sponsored cyber threats, including known file paths used by the threat actors to deploy tools and malware.

The defense recommendations highlight the use of timely patch application, comprehensive logging, and network segmentation.

Additionally, it is recommended to disable unused ports and services, use web application firewalls (WAFs), enforce the principle of least privilege, use multi-factor authentication (MFA) for remote access services, and replace end-of-life (EoL) equipment.

Replacing EoL edge networking gear is a priority as these types of devices are meant to be publicly exposed, and if they no longer receive patches, act as a valuable target for all types of threat actors.

Related Articles:

CISA: Vendors must secure SOHO routers against Volt Typhoon attacks

US govt officials’ communications compromised in recent telecom hack

FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023

US says Chinese hackers breached multiple telecom providers

CISA proposes new security requirements to protect govt, personal data