A new joint cyberthreat advisory released by the Five Eyes (an intelligence network established post-World War II between the United States, the United Kingdom, Canada, Australia and New Zealand) unpacks the tradecraft that state-sponsored cyber groups from the People’s Republic of China (PRC) are using to infiltrate private and public organisations.
While South Africa is not a member of the Five Eyes alliance, we carefully track the tactics employed by state-sponsored groups and any new threats uncovered in the Dark Web to ensure that our incident response tactics are relevant and ahead of the current cyberattacks.
Of particular interest is APT40, a group that has showcased a remarkable capability to quickly turn proof-of-concept (POC) exploits of newly discovered vulnerabilities into actionable tools, deploying them almost immediately against vulnerable networks. This group consistently performs extensive reconnaissance on targeted networks to identify and exploit weaknesses. By targeting outdated or poorly maintained devices, APT40 efficiently deploys its exploits, often leveraging vulnerabilities from as far back as 2017. The authoring agencies of the joint cyberthreat advisory anticipate that APT40 will continue to exploit POCs for new, high-profile vulnerabilities within hours or days of their public disclosure.
In the past, APT40 used compromised websites as command-and-control hosts. However, the group has since advanced its methods, now exploiting compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors. Many of these SOHO devices are outdated or unpatched, making them prime targets for N-day exploitation, which is the period between the disclosure of a vulnerability and the patching of affected systems, which can often span days or even weeks. Once compromised, these devices serve as platforms for launching attacks that blend with legitimate traffic, posing significant challenges for network defenders.
The advisory lists specific mitigations that organisations can use in detecting and responding to APT40 attacks. Given the success of APT40 attacks, it is worth preparing for similar tradecraft. From a digital forensics and incident response (DFIR) perspective, mitigations include the following:
Incident response plan:
- Develop a comprehensive incident response plan that outlines the steps to be taken in the event of a security incident, including APT40 attacks.
- Define roles and responsibilities of incident response team members and establish clear communication channels.
- Regularly review and update the incident response plan to incorporate lessons learned from previous incidents and adapt to evolving threats.
Incident response readiness:
- Conduct regular incident response exercises and simulations to test the effectiveness of the plan and ensure readiness of the incident response team.
- Establish relationships with external incident response providers or law enforcement agencies for assistance during complex incidents.
- Maintain up-to-date contact information for key stakeholders, including internal teams, external partners, and relevant authorities.
Digital forensics capabilities:
- Develop and maintain digital forensics capabilities within the organization or engage with external digital forensics experts.
- Establish procedures for collecting, preserving, and analysing digital evidence in a forensically sound manner.
- Ensure that digital forensic tools and software are up to date and capable of handling the latest threats and attack techniques.
Incident detection and response:
- Implement robust monitoring and detection systems to identify potential APT40 attacks in real-time.
- Establish incident response playbooks that provide step-by-step instructions for responding to specific types of APT40 attacks.
- Enable automated incident response actions where appropriate, such as isolating compromised systems or blocking malicious IP addresses.
Post-incident analysis and lessons learned:
- Conduct thorough post-incident analysis and forensic investigations to understand the scope and impact of APT40 attacks.
- Document lessons learned from each incident and use them to improve incident response processes, security controls, and employee training.
- Share relevant information and findings with industry peers and trusted partners to enhance collective defence against APT40 and similar threats.
How Cyber+ can help
Cyber+ is a unique offering from CyberCom.Africa that combines digital forensics expertise, delivered by our sister company, Cyanre Digital Forensics Lab, with 24/7 incident response capabilities. The added value included in Cyber+ ensures regular assessments are conducted on a business’s security posture, identify risks and vulnerabilities that should be addressed, and put an incident response plan in place that will facilitate responding to a breach at speed, identifying points of compromise, impact, and what the immediate containment actions needs to be to ensure business continuity and resilience. Our service includes a variety of audits and assessments in order to prevent and detect incidents.