Author: Christopher Kim

TLP: WHITE

 

1. Executive Summary

On 19 July, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on a Chinese Advanced Persistent Threat (APT) APT40, also known as BRONZE MOHAWK, FEVERDREAM, and MUDCARP. The advisory provided information about the APT’s tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation recommendations.¹ On this same day, the FBI, CISA, and National Security Agency (NSA) published a joint advisory on trends in cyber espionage activity that they observed across various Chinese state–sponsored actors.² These advisories coincide with the White House’s July statement accusing the People’s Republic of China (PRC) of hiring malicious actors to conduct, in early March 2021, cyber espionage operations that exploit zero-day vulnerabilities in Microsoft Exchange Servers.³

2. Analysis

2.1.  APT40

The group known as APT40 has been active since at least 2009 and runs its operations from Haikou, Hainan Province, PRC. The group has targeted governmental organizations, companies, and universities in various industries, including biomedical, robotics, and maritime research, as well as targeted industries included in China’s Belt and Road Initiative. With locations in the United States, Canada, Europe, the Middle East, and the South China Sea area, these targets are well distributed across the world.

On July 19, the U.S. Department of Justice (DOJ) indicted four APT40 members for secretly carrying out malicious computer network exploitation (CNE) activities via a front company called Hainan Xiandun Technology Development Company (Hainan Xiandun). The company’s employee Wu Shurong received orders from RC Ministry of State Security (MSS) Hainan State Security Department (HSSD) intelligence officers Ding Xiaoyang, Zhu Yunmin, and Cheng Qingmin to steal trade secrets, intellectual property, and other high-value information from companies and government organizations worldwide.

APT40 employs various TTPs, custom attack tools, and open-source resources to gain a foothold in target networks by using stolen credentials, to laterally move across a network, and to perform data exfiltration. CISA researchers have observed the same custom attack-tools as those used in operations associated with other suspected Chinese state–sponsored actors. The CISA AA21-200A advisory contains a table that describes APT40’s TTPs based on the MITRE ATT&CK framework.⁴

 2.1.1.  Mitigation

To combat APT40 activities, CISA AA21-200A recommends that organizations incorporate network monitoring and hygiene solutions in their defense strategy, as well as follow best security practices, such as implementing strong password management solutions and diligently updating software patches for security vulnerabilities. The advisory specifically recommends the following measures:

• • Patch and Vulnerability Management
    • Install vendor-provided and verified patches on all systems for critical vulnerabilities, prioritizing timely patching of internet-connected servers and software processing internet data—such as web browsers, browser plugins, and document readers.
    • Ensure proper migrating steps or compensating controls are implemented for vulnerabilities that cannot be patched in a timely manner.
    • Maintain up-to-date antivirus signatures and engines.
    • Routinely audit configuration and patch management programs to ensure the ability to track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect resources and information systems.
    • Review the articles in the References section⁵ for more information on Chinese APT exploitation of common vulnerabilities.
  • Protect Credentials
    • Strengthen credential requirements, regularly change passwords, and implement multi-factor authentication to protect individual accounts, particularly for webmail and VPN access and for accounts that access critical systems. Do not reuse passwords for multiple accounts.
    • Audit all remote authentications from trusted networks or service providers.
    • Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems.
    • Log use of system administrator commands such as net, ipconfig, and ping.
    • Enforce principle of least privilege.
  • Network Hygiene and Monitoring
    • Actively scan and monitor internet-accessible applications for unauthorized access, modification, and anomalous activities.
    • Actively monitor server disk use and audit for significant changes.
    • Log Domain Name Service (DNS) queries and consider blocking all outbound DNS requests that do not originate from approved DNS servers. Monitor DNS queries for C2 over DNS.
    • Develop and monitor the network and system baselines to allow for the identification of anomalous activity. Audit logs for suspicious behavior.
    • Identify and suspend access of users exhibiting unusual activity.
    • Use allowlist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system.
    • Leverage multi-sourced threat-reputation services for files, DNS, URLs, IP addresses, and email addresses.
    • Network device management interfaces—such as Telnet, Secure Shell (SSH), Winbox, and HTTP—should be turned off for wide area network (WAN) interfaces and secured with strong passwords and encryption when enabled.
    • When possible, segment critical information on air-gapped systems. Use strict access control measures for critical data.

2.2. Trends in Chinese State-Sponsored Activities

According to the AA21-200B advisory, the NSA, CISA, and FBI have observed Chinese state–sponsored actors use sophisticated methods to target U.S. political, economic, military, educational, and critical infrastructure (CI) personnel and organizations. The NSA, CISA, and FBI have identified the following trends across Chinese cyber espionage activities:

• • Masking Identity
    • Chinese state-sponsored actors covertly run cyber operations by using open-source and commercial penetration tools, as well as rotating virtual private servers (VPSs).
    • Chinese state-sponsored actors employ VPSs, as well as small office and home office (SOHO) devices as intermediary nodes for operation to hide their main infrastructure.
  • Exploitation of Public Vulnerabilities
    • When Chinese state-sponsored actors obtain new software vulnerability information, they quickly scan the internet for public-facing devices that show the vulnerability.
    • Typically, Chinese state-sponsored actors exploit widely used applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. Read the following reports for information on Common Vulnerabilities and Exposures (CVEs) that have been exploited by Chinese cyber espionage:
      • CISA-FBI Joint CSA AA20-133A⁶
      • CISA Activity Alert: AA20-275A⁷
      • NSA CSA U/OO/179811-20⁸

2.2.1. TTPs

Chinese state–sponsored actors have used a wide range of TTPs to infiltrate victim networks and steal sensitive information related to critical industries and government entities. Appendices A and B of the AA21-200B advisory contain MITRE ATT&CK TTP information related to Chinese state–sponsored attack operations. The downloadable (JSON file) version of this information is also available on the NSA Cybersecurity Github page.⁹

2.2.2. Mitigations

The NSA, CISA, and FBI strongly recommend that federal and SLTT governments, CI, DIB, and private industry organizations follow best security practices and monitor network traffic to identify suspicious and focused activities. We are providing all of their recommendations below:

• • • Patch systems and equipment promptly and diligently
      • Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.
      • Note: for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.
    • Enhance monitoring of network traffic, email, and endpoint systems
      • Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly.
      • Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation.
      • Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse.
      • Monitor common ports and protocols for command and control (C2) activity.
      • SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.
      • Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.
    • Use protection capabilities to stop malicious activity
      • Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing.
      • Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers.
      • Use a domain reputation service to detect suspicious or malicious domains.
      • Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary’s ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.

3. Indicators of Compromise

The table below contains a sample of IOCs related to the attacks discussed in this article. The full list is available with the joint advisory.

Indicator	Description
Engaction[.]com Soure7788.chickenkiller[.]com airbusocean[.]com cargillnotice[.]com ccidmeekparry[.]info ccvzvhjhdf[.]website cdigroups[.]com checkecc[.]com chemscalere[.]com cnnzapmeta[.]com corycs[.]com deltektimes[.]com ens-smithjonathan.rhcloud[.]com fishgatesite.wordpress[.]com goo2k88yyh2.chickenkiller[.]com gttdoskip[.]com huntingtomingalls[.]com indiadigest[.]in jack-newnb[.]com kAty197.chickenkiller[.]com louisdreyfu[.]com mail2.ignorelist[.]com masterroot[.]pw microsql-update[.]info mihybb[.]com mlcdailynews[.]com movyaction[.]net msusanode[.]com newbb-news[.]com nfmybb[.]com nobug[.]uk.to notesof992.wordpress[.]com onlinenewspapers[.]club onlineobl[.]com oyukg43t[.]website pacifichydrologic[.]org	APT40 domains
http://gkimertds.wordpress[.]com/feed/ http://stackoverflow[.]com/users/3627469/angle-swift http://stackoverflow[.]com/users/3804206/swiftr-angle http://stackoverflow[.]com/users/3863346/gkimertdssdads https://github[.]com/slotz/sharp-loader/commit/f9de338fb474fd970a7375030642d04179b9245d https://pastebin[.]com/p1mktQpD https://pastebin[.]com/vfb5mbbu www.yorkshire-espana-sa[.]com/english/servicios/ nmw4xhipveaca7hm[.]onion.link/en_US/all.js	APT40 urls
01234c0e41fc23bb5e1946f69e6c6221 018d3c34a296edd32e1b39b7276dcf7f 019b68e26df8750e2f9f580b150b7293 01fa52a4f9268948b6c508fef0377299 022bd2040ec0476d8eb80d1d9dc5cc92 039d9ca446e79f2f4310dc7dcc60ec55 043f6cdca33ce68b1ebe0fd79e4685af 04918772a2a6ccd049e42be16bcbee39 04dc4ca70f788b10f496a404c4903ac6 060067666435370e0289d4add7a07c3b 062c759d04106e46e027bbe3b93f33ef 07083008885d2d0b31b137e896c7266c 079068181a728d0d603fe72ebfc7e910 0803f8c5ee4a152f2108e64c1e7f0233 09143a14272a29c56ff32df160dfdb30 0985f757b1b51533b6c5cf9b1467f388 09aab083fb399527f8ff3065f7796443 0b7bb3e23a1be2f26b9adf7004fc6b52 0b9a614a2bbc64c1f32b95988e5a3359 0bbe092a2120b1be699387be16b5f8fb 0bbe769505ca3db6016da400539f77aa 0c3c00c01f4c4bad92b5ba56bd5a9598 0c4fa4dfbe0b07d3425fea3efe60be1c 0ca936a564508a1f9c91cb7943e07c30 0d69eefede612493afd16a7541415b95 0da08b4bfe84eacc9a1d9642046c3b3c 0dd7f10fdf60fc36d81558e0c4930984 0e01ec14c25f9732cc47cf6344107672 10191b6ce29b4e2bddb9e57d99e6c471 105757d1499f3790e69fb1a41e372fd9 11166f8319c08c70fc886433a7dac92d 1223302912ec70c7c8350268a13ad226 139e071dd83304cdcfd5280022a0f958 13c93dc9186258d6c335b16dc7bb3c8c 14e2b0e47887c3bfbddb3b66012cb6e8	APT40 MD5 hashes

Endnotes

1. CISA AA21-200A: https://us-cert.cisa.gov/ncas/alerts/aa21-200a
2. CISA AA21-200B: https://us-cert.cisa.gov/ncas/alerts/aa21-200b
3. The White House Statement on PRC Malicious Cyber Activities: https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/
4. MITRE ATT&CK Framework: https://attack.mitre.org/matrices/enterprise/
5. CISA AA21-200A APT20 References: https://us-cert.cisa.gov/ncas/alerts/aa21-200a
6. https://us-cert.cisa.gov/ncas/alerts/aa20-133a
7. https://us-cert.cisa.gov/ncas/alerts/aa20-275a
8. https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
9. https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps