People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action

Executive Summary

This report details the findings of the ASD’s ACSC investigation into the successful compromise of the organization’s network between July and September 2022. This investigative report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.

In mid-August, the ASD’s ACSC notified the organization of malicious interactions with their network from a likely compromised device being used by the group in late August and, with the organization’s consent, the ASD’s ACSC deployed host-based sensors to likely affected hosts on the organization’s network. These sensors allowed ASD’s ACSC incident response analysts to undertake a thorough digital forensics investigation. Using available sensor data, the ASD’s ACSC analysts successfully mapped the group’s activity and created a detailed timeline of observed events.

From July to August, key actor activity observed by the ASD’s ACSC included:

• Host enumeration, which enables an actor to build their own map of the network;
• Web shell use, giving the actor an initial foothold on the network and a capability to execute commands; and
• Deployment of other tooling leveraged by the actor for malicious purposes.

The investigation uncovered evidence of large amounts of sensitive data being accessed and evidence that the actors moved laterally through the network [T1021.002]. Much of the compromise was facilitated by the group’s establishment of multiple access vectors into the network, the network having a flat structure, and the use of insecure internally developed software that could be used to arbitrarily upload files. Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow the actors to regain unauthorized access if the original access vector was blocked. No additional malicious tooling was discovered beyond those on the initially exploited machine; however, a group’s access to legitimate and privileged credentials would negate the need for additional tooling. Findings from the investigation indicate the organization was likely deliberately targeted by APT40, as opposed to falling victim opportunistically to a publicly known vulnerability.

Investigation Findings

In mid-August 2022, the ASD’s ACSC notified the organization that a confirmed malicious IP believed to be affiliated with a state-sponsored cyber group had interacted with the organization’s computer networks between at least July and August. The compromised device probably belonged to a small business or home user.

In late August, the ASD’s ACSC deployed a host-based agent to hosts on the organization’s network which showed evidence of having been impacted by the compromise.

Some artefacts which could have supported investigation efforts were not available due to the configuration of logging or network design. Despite this, the organization’s readiness to provide all available data enabled ASD’s ACSC incident responders to conduct comprehensive analysis and to form an understanding of likely APT40 activity on the network.

In September, after consultation with the ASD’s ACSC, the organization decided to denylist the IP identified in the initial notification. In October, the organization commenced remediation.

Details

Beginning in July, actors were able to test and exploit a custom web application [T1190] running on <webapp>2-ext, which enables the group to establish a foothold in the network demilitarized zone (DMZ). This was leveraged to enumerate both the network as well as all visible domains. Compromised credentials [T1078.002] were used to query the Active Directory [T1018] and exfiltrate data by mounting file shares [T1039] from multiple machines within the DMZ. The actor carried out a Kerberoasting attack in order to obtain valid network credentials from a server [T1558.003]. The group were not observed gaining any additional points of presence in either the DMZ or the internal network.

Visual Timeline

The below timeline provides a broad overview of the key phases of malicious actor activity observed on the organization’s network.

Detailed Timeline

July: The actors established an initial connection to the front page of a custom web application [T1190] built for the organization (hereafter referred to as the “web application” or “webapp”) via a transport layer security (TLS) connection [T1102]. No other noteworthy activity was observed.

July: The actors begin enumerating the web application’s website looking for endpoints[2] to further investigate.

July: The actors concentrate on attempts to exploit a specific endpoint.

July: The actors are able to successfully POST to the web server, probably via a web shell placed on another page. A second IP, likely employed by the same actors, also begins posting to the same URL. The actors created and tested a number of likely web shells. 

The exact method of exploitation is unknown, but it is clear that the specific endpoint was targeted to create files on <webapp>2-ext.

ASD's ACSC believes that the two IP address connections were part of the same intrusion due to their shared interest and initial connections occurring minutes apart.

July: The group continue to conduct host enumeration, looking for privilege escalation opportunities, and deploying a different web shell. The actors log into the web application using compromised credentials for <firstname.surname>@<organisation domain>.

The actors’ activity does not appear to have successfully achieved privilege escalation on <webapp>2-ext. Instead, the actors pivoted to network-based activity.

July: The actor tests the compromised credentials for a service account[3] which it likely found hardcoded in internally accessible binaries.

July: The actors deploy the open-source tool Secure Socket Funnelling, which was used to connect out to the malicious infrastructure. This connection is employed to tunnel traffic from the actor's attack machines into the organization’s internal networks, whose machine names are exposed in event logs as they attempt to use the credentials for the service account.

August: The actors are seen conducting a limited amount of activity, including failing to establish connections involving the service account.

August: The actors perform significant network and Active Directory enumeration. A different compromised account is subsequently employed to mount shares[4] on Windows machines within the DMZ, enabling successful data exfiltration.

This seems to be opportunistic usage of a stolen credential on mountable machines in the DMZ. Firewalls blocked the actor from targeting the internal network with similar activity.

August – September: The SSF tool re-established a connection to a malicious IP. The group are not observed performing any additional activities until their access is blocked.

September: The organization blocks the malicious IP by denylisting it on their firewalls.

Actor Tactics and Techniques

The MITRE ATT&CK framework is a documented collection of tactics and techniques employed by threat actors in cyberspace. The framework was created by U.S. not-for-profit The MITRE Corporation and functions as a common global language around threat actor behavior.

The ASD’s ACSC assesses the following techniques and tactics to be relevant to the actor’s malicious activity:

Reconnaissance

T1594 – Search Victim-Owned Websites

The actor enumerated the custom web application’s website to identify opportunities for accessing the network.

Initial Access

T1190 – Exploit Public-Facing Application (regarding exploiting the custom web application)

T1078.002 – Valid Accounts: Domain Accounts (regarding logging on with comprised credentials)

Exploiting internet-exposed custom web applications provided an initial point of access for the actor. The actor was later able to use credentials they had compromised to further their access to the network.

Execution

T1059 – Command and Scripting Interpreter (regarding command execution through the web shell)

T1072 – Software Deployment Tools (regarding the actor using open-source tool Secure Socket Funnelling (SSF) to connect to an IP)

Persistence

T1505.003 – Server Software Component: Web Shell (regarding use of a web shell and SSF to establish access)

Credential Access

T1552.001 – Credentials from Password Stores (regarding password files relating to building management system [BMS])

T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting (regarding attack to gain network credentials)

Lateral movement

T1021.002 – Remote Services: SMB Shares (regarding the actor mounting SMB shares from multiple devices)

Collection

T1213 – Data from Information Repositories (regarding manuals/documentation found on the BMS server)

Exfiltration

T1041 – Exfiltration Over C2 Channel (regarding the actor’s data exfiltration from Active Directory and mounting shares)

Case Study 2

This report has been anonymized to enable wider dissemination. The impacted organization is hereafter referred to as “the organization.” Some specific details have been removed to protect the identity of the victim and incident response methods of ASD’s ACSC.

Executive Summary

This report details the findings of ASD’s ACSC investigation into the successful compromise of the organization’s network in April 2022. This investigation report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.

In May 2022, ASD’s ACSC notified an organization of suspected malicious activity impacting the organization’s network since April 2022. Subsequently, the organization informed ASD's ACSC that they had discovered malicious software on an internet‑facing server which provided the login portal for the organization’s corporate remote access solution. This server used a remote access login and identity management product and will be referred to in this report as 'the compromised appliance'. This report details the investigation findings and remediation advice developed for the organization in response to the investigation conducted by the ASD’s ACSC.

Evidence indicated that part of the organization’s network had been compromised by malicious cyber actor(s) via the organization’s remote access login portal since at least April 2022. This server may have been compromised by multiple actors, and was likely affected by a remote code execution (RCE) vulnerability that was widely publicized around the time of the compromise.

Key actor activity observed by the ASD’s ACSC included:

• Host enumeration, which enables an actor to build their own map of the network;
• Exploitation of internet-facing applications and web shell use, giving the actor an initial foothold on the network and a capability to execute commands;
• Exploitation of software vulnerabilities to escalate privileges; and
• Credential collection to enable lateral movement.

The ASD’s ACSC discovered that a malicious actor had exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artefacts related to remote access sessions. Upon a review by the organization, the passwords were found to be legitimate. The ASD’s ACSC assesses that the actor may have collected these technical artefacts to hijack or create a remote login session as a legitimate user, and access the organization’s internal corporate network using a legitimate user account.

Investigation Summary

The ASD’s ACSC determined that the actor compromised appliance(s) which provide remote login sessions for organization staff and used this compromise to attempt to conduct further activity. These appliances consist of three load-balanced hosts where the earliest evidence of compromise was detected. The organization shut down two of the three load-balanced hosts shortly after the initial compromise. As a result, all subsequent activity occurred on a single host. The other servers associated with the compromised appliance were also load-balanced in a similar manner. For legibility, all compromised appliances are referred to in most of this report as a “single appliance.”

The actor is believed to have used publicly known vulnerabilities to deploy web shells to the compromised appliance from April 2022 onwards. Threat actors from the group are assessed to have attained escalated privileges on the appliance. The ASD’s ACSC could not determine the full extent of the activity due to lack of logging availability. However, evidence on the device indicates that an actor achieved the following:

• The collection of several hundred genuine username and password pairs; and
• The collection of technical artefacts which may have allowed a malicious actor to access a virtual desktop infrastructure (VDI) session as a legitimate user.

The ASD’s ACSC assesses that the actor would have sought to further the compromise of the organisation network. The artefacts exfiltrated by the actor may have allowed them to hijack or initiate virtual desktop sessions as a legitimate user, possibly as a user of their choice, including administrators. The actor may have used this access vector to further compromise organization services to achieve persistence and other goals.

Other organization appliances within the hosting provider managed environment did not show evidence of compromise.

Access

The host with the compromised appliance provided authentication via Active Directory and a webserver, for users connecting to VDI sessions [T1021.001].

The appliance infrastructure also included access gateway hosts that provide a tunnel to the VDI for the user, once they possess an authentication token generated and downloaded from the appliance.

There was no evidence of compromise of any of these hosts. However, the access gateway hosts logs showed evidence of significant interactions with known malicious IP addresses. It is likely that this reflected activity that occurred on this host, or network connections with threat actor infrastructure that reached this host. The nature of this activity could not be determined using available evidence but indicates that the group sought to move laterally in the organization’s network [TA0008].

Internal Hosts

The ASD’s ACSC investigated limited data from the internal organization’s network segment. Attempted or successful malicious activity known to have impacted the internal organization’s network segment includes actor access to VDI-related artefacts, the scraping of an internal SQL server [T1505.001], and unexplained traffic observed going from known malicious IP addresses through the access gateway appliances [TA0011].

Using their access to the compromised appliance, the group collected genuine usernames, passwords [T1003], and MFA token values [T1111]. The group also collected JSON Web Tokens (JWTs) [T1528], which is an authentication artefact used to create virtual desktop login sessions. The actor may have been able to use these to create or hijack virtual desktop sessions [T1563.002] and access the internal organization network segment as a legitimate user [T1078].

The actor also used access to the compromised appliance to scrape an SQL server [T1505.001], which resided in the organization’s internal network. It is likely that the actor had access to this data.

Evidence available from the access gateway appliance revealed that network traffic occurred through or to this device from known malicious IP addresses. As described above, this may indicate that malicious cyber actors impacted or utilized this device, potentially to pivot into the internal network.

Investigation Timeline

The below list provides a timeline of key activities discovered during the investigation.

Actor Tactics and Techniques

Highlighted below are several tactics and techniques identified during the investigation.

Initial access

T1190 Exploit public facing application

The group likely exploited RCE, privilege escalation, and authentication bypass vulnerabilities in the remote access login and identity management product to gain initial access to the network.

This initial access method is considered the most likely due to the following:

• The server was vulnerable to these CVEs at the time;
• Attempts to exploit these vulnerabilities from known actor infrastructure; and
• The first known internal malicious activity occurred shortly after attempted exploitation attempts were made.

Execution

T1059.004 Command and Scripting Interpreter: Unix Shell

The group successfully exploited the above vulnerabilities may have been able to run commands in a Unix shell available on the affected appliance.

Complete details of the commands run by actors cannot be provided as they were not logged by the appliance.

Persistence

T1505.003 Server Software Component: Web Shell

Actors deployed several web shells on the affected appliance. It is possible that multiple distinct actors deployed web shells, but that only a smaller number of actors conducted activity using these web shells.

Web shells would have allowed for arbitrary command execution by the actor on the compromised appliances.

Privilege escalation

T1068 Exploitation for Privilege Escalation

Available evidence does not describe the level of privilege attained by actors. However, using web shells, the actors would have achieved a level of privilege comparable to that of the web server on the compromised appliance. Vulnerabilities believed to have been present on the compromised appliance

would have allowed the actors to attain root privileges.

Credential access

T1056.003 Input Capture: Web Portal Capture

Evidence on the compromised appliance showed that the actor had captured several hundred username-password pairs, in clear text, which are believed to be legitimate. It is likely that these were captured using some modification to the genuine authentication process which output the credentials to a file.

T1111 Multi-Factor Authentication Interception The actor also captured the value of MFA tokens

corresponding to legitimate logins. These were likely captured by modifying the genuine authentication process to output these values to a file. There is no evidence of compromise of the “secret server’ which stores the unique values that provide for the security of MFA tokens.

T1040 Network Sniffing

The actor is believed to have captured JWTs by capturing HTTP traffic on the compromised appliance. There is evidence that the utility tcpdump was executed on the compromised appliance, which may have been how the actor captured these JWTs.

T1539 Steal Web Session Cookie

As described above, the actor captured JWTs, which are analogous to web session cookies. These could have been reused by the actor to establish further access.

Discovery

T1046 Network Service Discovery

There is evidence that network scanning utility nmap was executed on the compromised appliance to scan other appliances in the same network segment. This was likely used by the actor to discover other reachable network services which might present opportunities for lateral movement.

Collection

Available evidence does not reveal how actors collected data or exactly what was collected from the compromised appliance or from other systems. However, it is likely that actors had access to all files on the compromised appliance, including the captured credentials [T1003], MFA token values [T1111], and JWTs described above.

Command and Control

T1071.001 Application Layer Protocol: Web Protocols

Actors used web shells for command and control. Web shell commands would have been passed over HTTPS using the existing web server on the appliance [T1572].

T1001.003 Data Obfuscation: Protocol Impersonation

Actors used compromised devices as a launching point for attacks that are designed to blend in with legitimate traffic.

Detection and mitigation recommendations

The ASD’s ACSC strongly recommends implementing the ASD Essential Eight Controls and associated Strategies to Mitigate Cyber Security Incidents. Below are recommendations for network security actions that should be taken to detect and prevent intrusions by APT40, followed by specific mitigations for four key TTPs summarized in Table 1.

Detection

Some of the files identified above were dropped in locations such as C:\Users\Public\* and C:\Windows\ Temp\*. These locations can be convenient spots for writing data as they are usually world writable, that is, all user accounts registered in Windows have access to these directories and their subdirectories. Often, any user can subsequently access these files, allowing opportunities for lateral movement, defense evasion, low-privilege execution and staging for exfiltration.

The following Sigma rules look for execution from suspicious locations as an indicator of anomalous activity. In all instances, subsequent investigation is required to confirm malicious activity and attribution.

Mitigations

Logging

During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs.

ASD’s ACSC recommends reviewing and implementing their guidance on Windows Event Logging and Forwarding including the configuration files and scripts in the Windows Event Logging Repository and the Information Security Manual’s Guidelines for System Monitoring, to include centralizing logs and retaining logs for a suitable period.

Patch Management

Promptly patch all internet exposed devices and services, including web servers, web applications, and remote access gateways. Consider implementing a centralized patch management system to automate and expedite the process. ASD’s ACSC recommend implementation of the ISM’s Guidelines for System Management, specifically, the System Patching controls where applicable.

Most exploits utilized by the actor were publicly known and had patches or mitigations available.

Organizations should ensure that security patches or mitigations are applied to internet facing infrastructure within 48 hours, and where possible, use the latest versions of software and operating systems.

Network Segmentation

Network segmentation can make it significantly more difficult for adversaries to locate and gain access to an organizations sensitive data. Segment networks to limit or block lateral movement by denying traffic between computers unless required. Important servers such as Active Directory and other authentication servers should only be able to be administered from a limited number of intermediary servers or “jump servers.” These servers should be closely monitored, be well secured and limit which users and devices are able to connect to them.

Regardless of instances identified where lateral movement is prevented, additional network segmentation could have further limited the amount of data the actors were able to access and extract.

Additional Mitigations

The authoring agencies also recommend the following mitigations to combat APT40 and others’ use of the TTPs below.

• Disable unused or unnecessary network services, ports and protocols.
• Use well-tuned Web application firewalls (WAFs) to protect webservers and applications.
• Enforce least privilege to limit access to servers, file shares, and other resources.
• Use multi-factor authentication (MFA) and managed service accounts to make credentials harder to crack and reuse. MFA should be applied to all internet accessible remote access services, including:
  • Web and cloud-based email;
  • Collaboration platforms;
  • Virtual private network connections; and
  • Remote desktop services.
• Replace end-of-life equipment.

For additional general detection and mitigation advice, please consult the Mitigations and Detection sections on the MITRE ATT&CK technique web page for each of the techniques identified in the MITRE ATT&CK summary at the end of this advisory.

Reporting

Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories.

Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca.

New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.

United Kingdom organizations: report a significant cyber security incident at National Cyber Security Centre (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

U.S. organizations: report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office, the FBI’s 24/7 CyWatch at (855) 292-3937, or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.

MITRE ATT&CK – Historical APT40 Tradecraft of Interest

Notes