By Nathalia Ordonio Magalhaes Palmeira

CISA released an alert about the APT40 group, which has been active for over 10 years and has been responsible for several espionage attacks. In this post, I have gathered information on attack methods and mitigation in order to increase the level of protection and detection of possible attacks.

Overview: APT40 Group

APT40 is a group that is located Haikou, Hainan Province, People's Republic of China, and has been active since at least 2009 in support of China's naval modernization effort. It targets government organisations, companies and universities in a wide range of industries, including biomedical, robotics and maritime research - in the United States, Canada, Europe, the Middle East and the South China Sea area, as well as industries included in China's Belt and Road Initiative.

FireEye believes APT40 is a Chinese state-sponsored cyber espionage operation because the group's targets are consistent with Chinese state interests and there are several technical artifacts indicating that the group is based in China. Analysis of the operational times of the group's activities indicates that it is likely centred on China Standard Time (UTC +8). In addition, several APT40 command and control (C2) domains were initially registered by China-based domain resellers and had Whois records with location information in China, suggesting a China-based infrastructure acquisition process.

In addition, APT40 also used various IP addresses located in China to conduct its operations. In one case, a log file retrieved from an open indexed server revealed that an IP address 112.66.188.28 located in Hainan, China, had been used to administer command and control that was communicating with malware on victim machines. All logins to this C2 came from computers configured with Chinese language settings.

Additionally, a self-styled group called Intrusion Truth, a group that performs doxing¹ of Chinese hackers, published information on its blog denoting the group's origin in Hainan. According to them, "APT groups in China have a common design: hired hackers and specialists, front companies and an intelligence officer. We know that several areas of China each have their own APT." They claim to have identified 13 different (front) companies with identical job advertisements, contact details, office locations, recruiting people with offensive hacking skills. "Although it was difficult to find people working for these companies, we identified several individuals and concluded that this network of companies was actually APT40," the group reveal.

The United States Department of Justice published, on July 19, 2021, an indictment against 4 individuals the country believes to be part of APT40. According to the document, the group used anonymity services such as The Onion Router(TOR) to access malware on victims' networks and manage their infrastructure, including servers, domains, and email accounts. The group also attempted to obscure their hacking activities through other services. For example, the group used GitHub to store malware and stolen data, which was hidden through steganography. It also used Dropbox's Application Programming Interface (API) keys in commands to upload stolen data directly to Dropbox accounts controlled by the group, to make it appear to network defenders that such data exfiltration was a legitimate use of the Dropbox service by an employee.

• ¹ doxing: is the action of revealing information that identifies someone on the Internet, such as their real name, address, telephone number, financial details and other personal information
  personal information. This information is then made publicly available on the Internet, for general knowledge and without any authorization from the victim.

Initial commitment

APT40 has been observed using a variety of techniques for initial compromise, including web server exploitation, campaigns to phishing delivering customised and publicly available backdoors, and strategic compromises.

In phishing attacks, the group usually presents itself as an individual who is likely to be of interest to the victim to send infected emails. This includes posing as a journalist, individual from a trade publication, someone from a military organisation or relevant non-governmental organisation (NGO). In some cases, the group has used previously compromised email addresses to send spear-phishing emails, which typically use malicious attachments, although Google Drive links have also been reported. The group also makes use of exploits in their phishing operations, often taking advantage of vulnerabilities within days of their disclosures.

APT40 has been observed using at least malware from 51 different code families. Of these, 37 are nonpublic. At least seven of these nonpublic tools (BADSIGN, FIELDGOAL, FINDLOCK, PHOTO, SCANBOX, SOGU, and WIDETONE) are shared with other groups suspected of having a connection to China.

Establishment of continuous access

APT40 uses a variety of malware and tools to establish its access, many of which are publicly available or used by other threat groups. In some cases, the group has used executables with code signing certificates to avoid detection.

• Backdoors are used in the first stage, such as AIRBREAK, FRESHAIR and BEACON, and are used before downloading other pyaloads;
• PHOTO, BADFLICK and CHINA CHOPPER are among the most frequently observed backdoors used by APT40;
• The group often targets VPN and remote desktop credentials to establish a secure position on the victim's system.

Escalation of Privileges

APT40 uses a combination of custom and publicly available credential-gathering tools to escalate privileges and achieve password hashes. The group also uses custom credential-stealing utilities such as HOMEFRY, a password dumper/cracker used in conjunction with the AIRBREAK and BADFLICK backdoors. In addition, the Windows Sysinternals ProcDump utility and the Windows Credential Editor (WCE) are also believed to be used during intrusions.

Internal Recognition

Using compromised credentials to log into other systems is part of performing reconnaissance. The group also takes advantage of RDP, SSH, and legitimate software present in the victim's environment, a variety of native Windows features, publicly available tools, and custom scripts to facilitate internal reconnaissance are also present at this stage.

• APT40 used MURKYSHELL in one organisation to scan IP addresses and conduct network enumeration;
• APT40 often uses native Windows commands, such as exe, to perform internal reconnaissance of the victim's environment;
• Web shells are widely used in almost every stage of the attack lifecycle. Internal web servers are often not configured with the same security controls as external public-facing servers, making them more vulnerable to exploitation by groups like APT40 that attack in a similar fashion.

Lateral Movement

APT40 uses many methods for lateral movement in an environment, including custom scripts, web shells, and tunneling tools such as Remote Desktop Protocol (RDP). For each new compromised system, the group typically executes malware, performs additional reconnaissance, and steals data.

• They also use native Windows utilities such as exe (a task scheduler) and net.exe (a network resource management tool) for lateral movement;
• Although MURKYTOP is primarily a command line recognition tool, it can also be used for lateral movement;
• APT40 also uses publicly available brute force tools and a custom utility called DISHCLOTH to attack different protocols and services.

Attendance Guarantee

APT40 primarily uses backdoors, including web shells, to maintain a presence within the victim's environment. These tools allow continuous control of key systems on the target network.

• APT40 strongly prefers web shells to maintain presence, especially publicly available tools;
• The tools used during the "Establishing continuous access" phase also continue to be used in the present phase; this includes AIRBREAK and PHOTO;
• Some malware tools used by the group can evade typical detection by taking advantage of legitimate sites such as GitHub, Google and Pastebin for initial C2 communications;
• The common TCP ports 80 and 443 are used to blend in with routine network traffic.

Interests

Because the attack's main interest is information gathering, the final phase of the attack may involve transferring files across multiple systems to their final destination. APT40 has been observed compressing files acquired from victims' networks and using the rar.exe tool to compress and encrypt the data before exfiltration. It has also been reported using a tool developed by APT40 itself, such as PAPERPUSH, to aid in the effectiveness of data theft.

Information on the APT40 ATT&CK Tactics and Techniques of the MITRE ATT&CK® framework can be found here.

Mitigation

As a way to assist in the protection and defence of enterprise networks and to help security professionals identify and remediate APT40 intrusions, the Federal Bureau of Investigation(FBI) and the Cybersecurity and Infrastructure Security Agency(CISA), recommend the following practices in their advisory:

Network - Defence in Depth

Proper network defence in depth and adherence to information security best practices can help mitigate the threat and reduce risk.

Patch and vulnerability management

• Install vendor-supplied and vendor-verified patches on all systems for critical vulnerabilities, prioritising patches for Internet-connected servers and Internet data processing software - such as web browsers, browser plug-ins and document readers;
• Ensure that appropriate migration steps or compensating controls are in place for vulnerabilities that cannot be fixed in a timely manner;
• Keep signatures and antivirus mechanisms up to date;
• Routinely audit configuration and patch management programs to ensure the ability to track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hinder the sophisticated operations of cyber threat actors and protect information resources and systems.

Protecting credentials

• Strengthen credential requirements, regularly change passwords and implement multi-factor authentication to protect individual accounts, especially for webmail and VPN access and for accounts accessing critical systems. Do not reuse passwords for multiple accounts;
• Audit all remote authentications of trusted networks or service providers. Detect incompatibilities by correlating credentials used on internal networks with those employed on external systems;
• Log the use of system administrator commands such as net, ipconfig and ping;
• Apply the principle of least privilege.

Hygiene and network monitoring

• Actively scan and monitor applications accessible from the Internet for unauthorized access, modification and anomalous activity;
• Actively monitor server disk usage and audit for significant changes;
• Log DNS queries and consider blocking all outbound DNS requests that do not originate from approved DNS servers. Monitor DNS queries for C2 over DNS;
• Develop and monitor network and system baselines to enable identification of anomalous activity. Audit logs for suspicious behaviour;
• Identify and suspend access to users exhibiting unusual activities;
• Use the permission list or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system;
• Use multisource threat reputation services for files, DNS, URLs, IP addresses and email addresses;
• Network device management interfaces - such as Telnet, Secure Shell (SSH), Winbox and HTTP - should be turned off for long distance network (WAN) interfaces and protected with strong passwords and encryption when enabled;
• When possible, segment critical information into air-gapp systems. Use strict access control measures for critical data.

IOCs - Commitment Indicators

Domains

MD5 Malware Hashes

Please note: To discover malicious activity, incident response analysts look for indicators of compromise (IOCs) in network- and host-based artifacts and evaluate the results-eliminating false positives during evaluation. For example, some MD5 IOCs in the table below identify legitimate tools - such as PuTTY, cmd.exe, svchost.exe, etc. - as indicators of compromise. Although the tools themselves are not malicious, the APT40 attackers placed and used them in non-standard folders on victims' systems during computer hacking activity. If a legitimate tool is identified by an incident responder, the location of the tool should be evaluated to eliminate false positives or uncover malicious activity.

Conclusion

While APT40 focused on countries strategically important to the Belt and Road Initiative - China's Belt and Road Initiative - including Cambodia, Belgium, Germany, Hong Kong, the Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States and the United Kingdom, in 2018, Recorded Future mentioned in a study on the group, a doorstep scan and investigation of government departments and networks of commercial entities in Mongolia, Kenya and Brazil. Each of these countries is a major investment destination as part of the Chinese Initiative.

This initiative is one of President Xi Jinping's most ambitious projects, it is to build an infrastructure connecting countries in Southeast Asia, Central Asia, the Middle East, Europe and Africa and so the project is considered strategic to almost all intelligence agencies and defined by FireEye as a "driver of regional cyber threat activity".

As China has been a trading partner of Brazil, it is important and necessary to understand groups like APT40 that may eventually target Brazil in future attacks.

References

• https://attack.mitre.org/groups/G0065/
• https://us-cert.cisa.gov/ncas/alerts/aa21-200a
• https://us-cert.cisa.gov/ncas/alerts/aa20-275a
• https://go.recordedfuture.com/hubfs/reports/cta-2018-0816.pdf
• https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu/
• https://www.fireeye.com/current-threats/apt-groups.html#apt40
• https://www.justice.gov/opa/press-release/file/1412921/download
• https://www.recordedfuture.com/chinese-cyberespionage-operations/
• https://securityaffairs.co/wordpress/75448/apt/bri-cyber-espionage-china.html
• https://securityaffairs.co/wordpress/96364/apt/china-linked-apt40-front-companies.html
• https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html
• https://www.zdnet.com/article/report-chinese-hacking-group-apt40-hides-behind-network-of-front-companies/
• https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company/
• https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion
• https://us-cert.cisa.gov/sites/default/files/publications/CSA_TTPs-of-Indicted-APT40-Actors-Associated-with-China-MSS-Hainan-State-Security-Department.pdf
• https://www.vice.com/en/article/wjka84/intrusion-truth-group-doxing-hackers-chinese-intelligence