Share this article on:
The threat group has long been after administrative credentials and privileged access, and it found both in recent attacks on two local organisations.
State-sponsored APT40 has been on the radar of governments, agencies and cyber security teams for a number of years. The Chinese group – known by at least 12 other codenames – has been around since 2009.
Its modus operandi is fairly well understood, employing “a variety of tactics and techniques and a large library of custom and open-source malware to … establish persistence, escalate privileges, map, and move laterally on victim networks”.
Credential protection and privilege management have always been a key part of the defensive toolkit against APT40, with the US Cybersecurity and Infrastructure Security Agency (CISA) recommending in 2021 that organisations “strengthen credential requirements, regularly change passwords, implement multifactor authentication to protect individual accounts, enforce the principle of least privilege” and monitor traffic “to detect when a user maps a privileged administrative share on a Windows system”, among other mitigations.
While organisations in Australia have previously been targeted by APT40, warnings around the group’s activities against Australian targets were significantly escalated in early July.
The reason for this was an observable increase in activity: as the Australian Signals Directorate (ASD) declared, “APT40 is actively conducting regular reconnaissance against networks of interest in Australia, looking for opportunities to compromise its targets”.
Authorities backed this up with two case study examples of anonymised Australian firms that fell victim to APT40 tradecraft.
In one example, the group gained corporate network access via a compromised device at someone’s home before mapping out the network and accessing and exfiltrating data. The most prized stolen data was “privileged authentication credentials”. As ASD surmised, having legitimate and privileged credentials significantly aided APT40’s cause; few other tools were needed to execute its attack.
In the second example, the point of entry was a compromised internet-facing server, through which the organisation’s remote access system could be accessed. Once in, the pattern of the attackers was again the same: gain persistence, escalate the attack, and steal data. And, once more, privileged access was sought. There was evidence of the “collection of several hundred genuine username and password pairs” and of “technical artefacts which may have allowed a malicious actor to access a virtual desktop infrastructure (VDI) session as a legitimate user – possibly as a user of their choice, including administrators”.
A focus on privilege
One of the key reasons that APT40 – and many other threat actors – are successful is their ability to find paths to privilege in a compromised environment. Environments where privileged accounts and secrets are not properly secured will continue to be highly vulnerable to these and other threat actors.
As these attacks show, there are a number of creative ways in which the threat actors will obtain the privilege and access they need, so having visibility into where privileged identities exist in the environment, being able to manage and protect them and being able to uncover abuse and misconfigurations that grant access to privilege are necessary to stay ahead of the threats, no matter where they originate.
Specifically, on APT40, the group’s preference for exploiting public-facing infrastructure and obtaining valid and privileged credentials means that following least privilege principles to control the access and the “blast radius” of compromised identities is a key and effective mitigation available to Australian organisations.
Following the ASD’s own Essential Eight prioritised list of cyber security risk mitigation strategies – which are designed to harden an organisation’s cyber defences against the most common attack vectors – is a good starting point for mitigating risks posed by the activities of APT40.
Essential Eight controls, such as patching systems, restricting administrative privileges, and implementing application control and multifactor authentication (MFA) on accounts, are all valuable preventative actions to take in this context.
However, Essential Eight initiatives can be complex to implement in a way that enables an organisation to significantly raise the maturity of its environment to deal with advanced persistent threat groups and others.
Reining in privileged access
Many organisations navigate the complexities of Essential Eight adoption with the support of a Privileged Access Management (PAM) platform to manage, monitor, and audit every privilege and privileged session.
PAM can be utilised to assign just-in-time privileges to approved applications, scripts, tasks, and commands across both endpoints and servers; to limit access to operating systems and applications based on user duties using the concept of least privilege while regularly revalidating the need for privileges; and to support the removal of local admin rights without impacting user productivity.
In addition, through a PAM platform, organisations have secure access control, auditing, alerting and recording of any privileged account. This is important because, as the ASD noted, a commonality in its investigations of APT40 “is a lack of comprehensive and historical logging information across a number of areas”, which hampered “the effectiveness and speed of investigative efforts”. No organisation or forensics team wants to be dealing with APT40, especially without adequate logs.
Given the renewed threat posed by APT40 in Australia, organisations should take the opportunity to reassess their cyber security posture and defensive strategies. Some additional fortifications and a focus on least privilege can play a role in mitigating the risk posed by APT40 and similar adversaries, safeguarding organisational assets, and maintaining operational integrity.