Connect with us

Tech News

Chinese spies target vulnerable home office kit to run cyber attacks

Published

on

Chinese spies target vulnerable home office kit to run cyber attacks

The APT40 group, backed by China, has been actively targeting new victims by exploiting vulnerabilities in small office and home office (SoHo) networking devices for command and control (C2) activity during their attacks. This information comes from an international alert issued by the Five Eyes allied cyber agencies from Australia, Canada, New Zealand, the UK and the US, along with partner bodies from Germany, Japan, and South Korea.

The Australian Cyber Security Centre (ACSC) stated that APT40 has targeted networks in Australia and globally using compromised SoHo devices. In two case studies published by the Australian authorities, APT40 used SoHo devices as operational infrastructure and redirectors during attacks, making their activity somewhat easier to track.

SoHo networking devices are easier targets for malicious actors compared to large enterprise equivalents. Many of these devices are end-of-life or unpatched, offering a soft target for exploitation. Once compromised, they provide a launching point for attacks to blend in with legitimate traffic and challenge network defenders.

APT40 occasionally uses procured or leased infrastructure as victim-facing C2 infrastructure, but this technique seems to be declining. The ACSC shared details of an APT40 cyber attack in August 2022, where a malicious IP interacted with the target network using a device likely belonging to a small business or home user.

Mohammed Kazem, senior threat intelligence researcher at WithSecure, highlighted the continuous evolution of Chinese government/state-sponsored cyber operations. He noted the trend among PRC actors to target edge devices via exploitation and leverage compromised devices for stealthier operations.

Noteworthy threat

APT40, also known as Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk, is a highly active group likely based in Haikou, Hainan Province, China. Tasked by the Hainan State Security Department of China’s Ministry of State Security (MSS), APT40 was involved in cyber attacks in 2021, targeting various sectors.

See also  Leaked VR Controllers From Valve Revive Hope for a Next-gen 'Deckard' VR Headset

The group stole intellectual property and information for China’s state-owned enterprises, making it a significant threat due to its advanced capabilities and exploitation of new vulnerabilities.

APT40 is known for targeting public-facing infrastructure, exploiting widespread vulnerabilities like Log4j, and obtaining valid credentials for attacks.

Mitigating an APT40 intrusion

Defenders should prioritize keeping up-to-date logging, prompt patch management, and implementing network segmentation to mitigate APT40 intrusions. Other recommended steps include disabling unused network services, implementing web application firewalls, enforcing least privilege policies, using multifactor authentication, replacing end-of-life equipment, and reviewing custom applications for exploitable functionality.

Trending