Chinese APT40 threat group targets end-of-life devices, agencies warn

Close allies of the United States have detailed how APT40 is carrying out attacks on decommissioned devices in Australia and warned in a joint statement that the Chinese state-sponsored group poses a threat.

The July 8 alert was issued by security agencies from the United States, Australia, Canada, Germany, Japan, New Zealand, South Korea, and the United Kingdom. The U.S. agencies on the list include the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA).

Most importantly, the authors found that as early as 2017, APT40 was able to rapidly transform and exploit prototypes of new vulnerabilities and immediately deploy them against its targets, typically networks with decommissioned devices.

APT40 then exploits recently disclosed vulnerabilities in widely used software such as Log4j (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084), and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473).

Security agencies said they expect APT40 to continue to use POC to detect new, known vulnerabilities within hours or days of their release. They also said APT40 prefers to use vulnerable infrastructure available to the public rather than techniques that require user interaction, such as phishing campaigns, and APT40 aims to obtain valid credentials to perform a range of follow-up actions.

“The speed at which APT40 is exploiting new vulnerabilities is definitely concerning,” said Tal Mandel Bar, product manager at DoControl. “They’re essentially weaponizing PoC code almost as quickly as it’s released. That puts a lot of pressure on security teams to get fixes out quickly.”

Bar added that the focus on public infrastructure is interesting because it shows that APT40 will look for the path of least resistance: Why bother with complicated phishing campaigns when you can just exploit vulnerabilities directly?

“For security teams, this really highlights the importance of patching quickly, especially for internet-facing systems,” Bar said. “You can’t afford to wait when APT40 can exploit a new vulnerability in a matter of hours.”

Darren Guccione, co-founder and CEO of Keeper Security, added that multi-factor authentication and regular audits of privileged accounts are essential to counteract APT40’s focus on compromised credentials. Teams must also employ network segmentation and continuous monitoring, which Guccione said will help detect breaches early.

“In addition, having a solid incident response plan and regular drills can ensure teams are prepared for cyber threats,” Guccione said. “Because this group regularly exploits vulnerable, decommissioned, or unmaintained devices—including vulnerabilities dating back to 2017—organizations need to regularly update their software and apply patches as soon as vulnerabilities are disclosed. Devices that are no longer maintained or cannot be patched quickly should be taken offline.”