July 9, 2024 By Bill Toulas
A joint advisory from international cybersecurity agencies and law enforcement warns of the tactics used by the Chinese state-sponsored APT 40 hacking group and their hijacking of SOHO routers to launch cyberespionage attacks.
APT 40, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk, has been active since at least 2011, targeting government organizations and key private entities in the US and Australia.
Previously, APT40 was linked to a wave of attacks targeting over 250,000 Microsoft Exchange servers using the ProxyLogon vulnerabilities and campaigns involving exploiting flaws in widely used software, such as WinRAR.
APT40 activity overview
As cybersecurity authorities and government agencies from Australia, the United States, the United Kingdom, Canada, New Zealand, Germany, Korea, and Japan said, APT40 exploits vulnerabilities in public-facing infrastructure and edge networking devices instead of human interaction, such as phishing emails and social engineering.
The threat actors are known to rapidly exploit new vulnerabilities as they are publicly disclosed, with the advisory pointing out flaws in Log4J, Atlassian Confluence, and Microsoft Exchange as examples.
