{ "id": "f9eb180a-391e-498e-a1fa-b0fa92666526", "created_at": "2026-04-06T00:19:33.969415Z", "updated_at": "2026-04-10T03:38:01.845126Z", "deleted_at": null, "sha1_hash": "d4c3fb7ebf839c2694a88d5afaa44da3caf3552b", "title": "People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 359321, "plain_text": "People’s Republic of China (PRC) Ministry of State Security\r\nAPT40 Tradecraft in Action | CISA\r\nPublished: 2024-07-08 · Archived: 2026-04-05 19:07:13 UTC\r\nThis advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC),\r\nthe United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security\r\nAgency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber\r\nSecurity Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber\r\nSecurity Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the\r\nProtection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’\r\nNational Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity\r\n(NISC) and National Police Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s\r\nRepublic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The\r\nadvisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident\r\nresponse investigations.\r\nThe PRC state-sponsored cyber group has previously targeted organizations in various countries, including\r\nAustralia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group, and similar techniques remain a\r\nthreat to their countries’ networks as well.\r\nThe authoring agencies assess that this group conduct malicious cyber operations for the PRC Ministry of State\r\nSecurity (MSS). The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT)\r\n40 (also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry\r\nreporting). This group has previously been reported as being based in Haikou, Hainan Province, PRC and\r\nreceiving tasking from the PRC MSS, Hainan State Security Department.[1]\r\nThe following Advisory provides a sample of significant case studies of this adversary’s techniques in action\r\nagainst two victim networks. The case studies are consequential for cybersecurity practitioners to identify, prevent\r\nand remediate APT40 intrusions against their own networks. The selected case studies are those where appropriate\r\nremediation has been undertaken reducing the risk of re-exploitation by this threat actor, or others. As such, the\r\ncase studies are naturally older in nature, to ensure organizations were given the necessary time to remediate.\r\nAPT40 has repeatedly targeted Australian networks as well as government and private sector networks in the\r\nregion, and the threat they pose to our networks is ongoing. The tradecraft described in this advisory is regularly\r\nobserved against Australian networks.\r\nNotably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of\r\nnew vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the\r\nassociated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including\r\nnetworks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 1 of 28\n\nreconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks\r\nof interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early\r\nas 2017.\r\nAPT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228),\r\nAtlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue using\r\nPOCs for new high-profile vulnerabilities within hours or days of public release.\r\nThis group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user\r\ninteraction, such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range\r\nof follow-on activities. APT40 regularly uses web shells [T1505.003 ] for persistence, particularly early in the\r\nlife cycle of an intrusion. Typically, after successful initial access APT40 focuses on establishing persistence to\r\nmaintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely\r\nto be observed in all intrusions—regardless of the extent of compromise or further actions taken.\r\nAlthough APT40 has previously used compromised Australian websites as command and control (C2) hosts for its\r\noperations, the group have evolved this technique [T1594 ].\r\nAPT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO)\r\ndevices, as operational infrastructure and last-hop redirectors [T1584.008 ] for its operations in Australia. This\r\nhas enabled the authoring agencies to better characterize and track this group’s movements.\r\nMany of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once\r\ncompromised, SOHO devices offer a launching point for attacks that is designed to blend in with legitimate traffic\r\nand challenge network defenders [T1001.003 ].\r\nAPT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations;\r\nhowever, this tradecraft appears to be in relative decline.\r\nASD’s ACSC are sharing some of the malicious files identified during the investigations outlined below. These\r\nfiles have been uploaded to VirusTotal to enable the wider network defense and cyber security communities to\r\nbetter understand the threats they need to defend against.\r\nASD’s ACSC are sharing two anonymized investigative reports to provide awareness of how the actors employ\r\ntheir tools and tradecraft.\r\nExecutive Summary\r\nThis report details the findings of the ASD’s ACSC investigation into the successful compromise of the\r\norganization’s network between July and September 2022. This investigative report was provided to the\r\norganization to summarize observed malicious activity and frame remediation recommendations. The findings\r\nindicate the compromise was undertaken by APT40.\r\nIn mid-August, the ASD’s ACSC notified the organization of malicious interactions with their network from a\r\nlikely compromised device being used by the group in late August and, with the organization’s consent, the ASD’s\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 2 of 28\n\nACSC deployed host-based sensors to likely affected hosts on the organization’s network. These sensors allowed\r\nASD’s ACSC incident response analysts to undertake a thorough digital forensics investigation. Using available\r\nsensor data, the ASD’s ACSC analysts successfully mapped the group’s activity and created a detailed timeline of\r\nobserved events.\r\nFrom July to August, key actor activity observed by the ASD’s ACSC included:\r\nHost enumeration, which enables an actor to build their own map of the network;\r\nWeb shell use, giving the actor an initial foothold on the network and a capability to execute commands;\r\nand\r\nDeployment of other tooling leveraged by the actor for malicious purposes.\r\nThe investigation uncovered evidence of large amounts of sensitive data being accessed and evidence that the\r\nactors moved laterally through the network [T1021.002 ]. Much of the compromise was facilitated by the\r\ngroup’s establishment of multiple access vectors into the network, the network having a flat structure, and the use\r\nof insecure internally developed software that could be used to arbitrarily upload files. Exfiltrated data included\r\nprivileged authentication credentials that enabled the group to log in, as well as network information that would\r\nallow the actors to regain unauthorized access if the original access vector was blocked. No additional malicious\r\ntooling was discovered beyond those on the initially exploited machine; however, a group’s access to legitimate\r\nand privileged credentials would negate the need for additional tooling. Findings from the investigation indicate\r\nthe organization was likely deliberately targeted by APT40, as opposed to falling victim opportunistically to a\r\npublicly known vulnerability.\r\nInvestigation Findings\r\nIn mid-August 2022, the ASD’s ACSC notified the organization that a confirmed malicious IP believed to be\r\naffiliated with a state-sponsored cyber group had interacted with the organization’s computer networks between at\r\nleast July and August. The compromised device probably belonged to a small business or home user.\r\nIn late August, the ASD’s ACSC deployed a host-based agent to hosts on the organization’s network which\r\nshowed evidence of having been impacted by the compromise.\r\nSome artefacts which could have supported investigation efforts were not available due to the configuration of\r\nlogging or network design. Despite this, the organization’s readiness to provide all available data enabled ASD’s\r\nACSC incident responders to conduct comprehensive analysis and to form an understanding of likely APT40\r\nactivity on the network.\r\nIn September, after consultation with the ASD’s ACSC, the organization decided to denylist the IP identified in the\r\ninitial notification. In October, the organization commenced remediation.\r\nDetails\r\nBeginning in July, actors were able to test and exploit a custom web application [T1190 ] running on\r\n\u003cwebapp\u003e2-ext , which enables the group to establish a foothold in the network demilitarized zone (DMZ). This\r\nwas leveraged to enumerate both the network as well as all visible domains. Compromised credentials [T1078.002\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 3 of 28\n\n] were used to query the Active Directory [T1018 ] and exfiltrate data by mounting file shares [T1039 ]\r\nfrom multiple machines within the DMZ. The actor carried out a Kerberoasting attack in order to obtain valid\r\nnetwork credentials from a server [T1558.003 ]. The group were not observed gaining any additional points of\r\npresence in either the DMZ or the internal network.\r\nVisual Timeline\r\nThe below timeline provides a broad overview of the key phases of malicious actor activity observed on the\r\norganization’s network.\r\nDetailed Timeline\r\nJuly: The actors established an initial connection to the front page of a custom web application [T1190 ] built\r\nfor the organization (hereafter referred to as the “web application” or “ webapp ”) via a transport layer security\r\n(TLS) connection [T1102 ]. No other noteworthy activity was observed.\r\nJuly: The actors begin enumerating the web application’s website looking for endpoints[2] to further investigate.\r\nJuly: The actors concentrate on attempts to exploit a specific endpoint.\r\nJuly: The actors are able to successfully POST to the web server, probably via a web shell placed on another page.\r\nA second IP, likely employed by the same actors, also begins posting to the same URL. The actors created and\r\ntested a number of likely web shells. \r\nThe exact method of exploitation is unknown, but it is clear that the specific endpoint was targeted to create files\r\non  \u003cwebapp\u003e2-ext .\r\nASD's ACSC believes that the two IP address connections were part of the same intrusion due to their shared\r\ninterest and initial connections occurring minutes apart.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 4 of 28\n\nJuly: The group continue to conduct host enumeration, looking for privilege escalation opportunities, and\r\ndeploying a different web shell. The actors log into the web application using compromised credentials\r\nfor  \u003cfirstname.surname\u003e@\u003corganisation domain\u003e .\r\nThe actors’ activity does not appear to have successfully achieved privilege escalation on  \u003cwebapp\u003e2-ext .\r\nInstead, the actors pivoted to network-based activity.\r\nJuly: The actor tests the compromised credentials for a service account[3] which it likely found hardcoded in\r\ninternally accessible binaries.\r\nJuly: The actors deploy the open-source tool Secure Socket Funnelling, which was used to connect out to the\r\nmalicious infrastructure. This connection is employed to tunnel traffic from the actor's attack machines into the\r\norganization’s internal networks, whose machine names are exposed in event logs as they attempt to use the\r\ncredentials for the service account.\r\nAugust: The actors are seen conducting a limited amount of activity, including failing to establish connections\r\ninvolving the service account.\r\nAugust: The actors perform significant network and Active Directory enumeration. A different compromised\r\naccount is subsequently employed to mount shares[4] on Windows machines within the DMZ, enabling successful\r\ndata exfiltration.\r\nThis seems to be opportunistic usage of a stolen credential on mountable machines in the DMZ. Firewalls blocked\r\nthe actor from targeting the internal network with similar activity.\r\nAugust – September: The SSF tool re-established a connection to a malicious IP. The group are not observed\r\nperforming any additional activities until their access is blocked.\r\nSeptember: The organization blocks the malicious IP by denylisting it on their firewalls.\r\nActor Tactics and Techniques\r\nThe MITRE ATT\u0026CK framework is a documented collection of tactics and techniques employed by threat actors\r\nin cyberspace. The framework was created by U.S. not-for-profit The MITRE Corporation and functions as a\r\ncommon global language around threat actor behavior.\r\nThe ASD’s ACSC assesses the following techniques and tactics to be relevant to the actor’s malicious activity:\r\nReconnaissance\r\nT1594 – Search Victim-Owned Websites\r\nThe actor enumerated the custom web application’s website to identify opportunities for accessing the network.\r\nInitial Access\r\nT1190 – Exploit Public-Facing Application (regarding exploiting the custom web application)\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 5 of 28\n\nT1078.002 – Valid Accounts: Domain Accounts (regarding logging on with comprised credentials)\r\nExploiting internet-exposed custom web applications provided an initial point of access for the actor. The actor\r\nwas later able to use credentials they had compromised to further their access to the network.\r\nExecution\r\nT1059 – Command and Scripting Interpreter (regarding command execution through the web shell)\r\nT1072 – Software Deployment Tools (regarding the actor using open-source tool Secure Socket Funnelling\r\n(SSF) to connect to an IP)\r\nPersistence\r\nT1505.003 – Server Software Component: Web Shell (regarding use of a web shell and SSF to establish access)\r\nCredential Access\r\nT1552.001 – Credentials from Password Stores (regarding password files relating to building management\r\nsystem [BMS])\r\nT1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting (regarding attack to gain network credentials)\r\nLateral movement\r\nT1021.002 – Remote Services: SMB Shares (regarding the actor mounting SMB shares from multiple devices)\r\nCollection\r\nT1213 – Data from Information Repositories (regarding manuals/documentation found on the BMS server)\r\nExfiltration\r\nT1041 – Exfiltration Over C2 Channel (regarding the actor’s data exfiltration from Active Directory and\r\nmounting shares)\r\nCase Study 2\r\nThis report has been anonymized to enable wider dissemination. The impacted organization is hereafter referred to as “the\r\norganization.” Some specific details have been removed to protect the identity of the victim and incident response methods of\r\nASD’s ACSC.\r\nExecutive Summary\r\nThis report details the findings of ASD’s ACSC investigation into the successful compromise of the organization’s\r\nnetwork in April 2022. This investigation report was provided to the organization to summarize observed\r\nmalicious activity and frame remediation recommendations. The findings indicate the compromise was\r\nundertaken by APT40.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 6 of 28\n\nIn May 2022, ASD’s ACSC notified an organization of suspected malicious activity impacting the organization’s\r\nnetwork since April 2022. Subsequently, the organization informed ASD's ACSC that they had discovered\r\nmalicious software on an internet‑facing server which provided the login portal for the organization’s corporate\r\nremote access solution. This server used a remote access login and identity management product and will be\r\nreferred to in this report as 'the compromised appliance'. This report details the investigation findings and\r\nremediation advice developed for the organization in response to the investigation conducted by the ASD’s ACSC.\r\nEvidence indicated that part of the organization’s network had been compromised by malicious cyber actor(s) via\r\nthe organization’s remote access login portal since at least April 2022. This server may have been compromised by\r\nmultiple actors, and was likely affected by a remote code execution (RCE) vulnerability that was widely\r\npublicized around the time of the compromise.\r\nKey actor activity observed by the ASD’s ACSC included:\r\nHost enumeration, which enables an actor to build their own map of the network;\r\nExploitation of internet-facing applications and web shell use, giving the actor an initial foothold on the\r\nnetwork and a capability to execute commands;\r\nExploitation of software vulnerabilities to escalate privileges; and\r\nCredential collection to enable lateral movement.\r\nThe ASD’s ACSC discovered that a malicious actor had exfiltrated several hundred unique username and\r\npassword pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication\r\ncodes and technical artefacts related to remote access sessions. Upon a review by the organization, the passwords\r\nwere found to be legitimate. The ASD’s ACSC assesses that the actor may have collected these technical artefacts\r\nto hijack or create a remote login session as a legitimate user, and access the organization’s internal corporate\r\nnetwork using a legitimate user account.\r\nInvestigation Summary\r\nThe ASD’s ACSC determined that the actor compromised appliance(s) which provide remote login sessions for\r\norganization staff and used this compromise to attempt to conduct further activity. These appliances consist of\r\nthree load-balanced hosts where the earliest evidence of compromise was detected. The organization shut down\r\ntwo of the three load-balanced hosts shortly after the initial compromise. As a result, all subsequent activity\r\noccurred on a single host. The other servers associated with the compromised appliance were also load-balanced\r\nin a similar manner. For legibility, all compromised appliances are referred to in most of this report as a “single\r\nappliance.”\r\nThe actor is believed to have used publicly known vulnerabilities to deploy web shells to the compromised\r\nappliance from April 2022 onwards. Threat actors from the group are assessed to have attained escalated\r\nprivileges on the appliance. The ASD’s ACSC could not determine the full extent of the activity due to lack of\r\nlogging availability. However, evidence on the device indicates that an actor achieved the following:\r\nThe collection of several hundred genuine username and password pairs; and\r\nThe collection of technical artefacts which may have allowed a malicious actor to access a virtual desktop\r\ninfrastructure (VDI) session as a legitimate user.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 7 of 28\n\nThe ASD’s ACSC assesses that the actor would have sought to further the compromise of the organisation\r\nnetwork. The artefacts exfiltrated by the actor may have allowed them to hijack or initiate virtual desktop sessions\r\nas a legitimate user, possibly as a user of their choice, including administrators. The actor may have used this\r\naccess vector to further compromise organization services to achieve persistence and other goals.\r\nOther organization appliances within the hosting provider managed environment did not show evidence of\r\ncompromise.\r\nAccess\r\nThe host with the compromised appliance provided authentication via Active Directory and a webserver, for users\r\nconnecting to VDI sessions [T1021.001 ].\r\nLocation Compromised appliance hostnames (load-balanced)\r\nDatacentre 1 HOST1, HOST2, HOST3\r\nThe appliance infrastructure also included access gateway hosts that provide a tunnel to the VDI for the user, once\r\nthey possess an authentication token generated and downloaded from the appliance.\r\nThere was no evidence of compromise of any of these hosts. However, the access gateway hosts logs showed\r\nevidence of significant interactions with known malicious IP addresses. It is likely that this reflected activity that\r\noccurred on this host, or network connections with threat actor infrastructure that reached this host. The nature of\r\nthis activity could not be determined using available evidence but indicates that the group sought to move laterally\r\nin the organization’s network [TA0008 ].\r\nInternal Hosts\r\nThe ASD’s ACSC investigated limited data from the internal organization’s network segment. Attempted or\r\nsuccessful malicious activity known to have impacted the internal organization’s network segment includes actor\r\naccess to VDI-related artefacts, the scraping of an internal SQL server [T1505.001 ], and unexplained traffic\r\nobserved going from known malicious IP addresses through the access gateway appliances [TA0011 ].\r\nUsing their access to the compromised appliance, the group collected genuine usernames, passwords [T1003 ],\r\nand MFA token values [T1111 ]. The group also collected JSON Web Tokens (JWTs) [T1528 ], which is an\r\nauthentication artefact used to create virtual desktop login sessions. The actor may have been able to use these to\r\ncreate or hijack virtual desktop sessions [T1563.002 ] and access the internal organization network segment as a\r\nlegitimate user [T1078 ].\r\nThe actor also used access to the compromised appliance to scrape an SQL server [T1505.001 ], which resided\r\nin the organization’s internal network. It is likely that the actor had access to this data.\r\nEvidence available from the access gateway appliance revealed that network traffic occurred through or to this\r\ndevice from known malicious IP addresses. As described above, this may indicate that malicious cyber actors\r\nimpacted or utilized this device, potentially to pivot into the internal network.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 8 of 28\n\nInvestigation Timeline\r\nThe below list provides a timeline of key activities discovered during the investigation.\r\nTime Event\r\nApril 2022\r\nKnown malicious IP addresses interact with access gateway host HOST7. The nature of the\r\ninteractions could not be determined.\r\nApril 2022\r\nAll hosts, HOST1, HOST2 and HOST3, were compromised by a malicious actor or actors,\r\nand web shells were placed on the hosts.\r\nA log file was created or modified on HOST2. This file contains credential material likely\r\ncaptured by a malicious actor.\r\nThe /etc/security/opasswd and /etc/shadow files were modified on HOST1 and HOST3,\r\nindicating that passwords were changed. Evidence available on HOST1 suggests that the\r\npassword for user ‘sshuser’ was changed.\r\nApril 2022\r\nHOST2 was shut down by the organization.\r\nAdditional web shells (T1505.003\r\n) were created on HOST1 and HOST3. HOST1experienced SSH brute force attempts from\r\nHOST3.\r\nA log file was modified (T1070 ) on HOST3. This file contains credential material (T1078 )\r\nlikely captured by a malicious actor.\r\nJWTs were captured (T1528 ) and output to a file on HOST3.\r\nHOST3 was shut down by the organization. All activity after this time occurs on HOST1.\r\nApril 2022\r\nAdditional web shells were created on HOST1 (T1505.003 ). JWTs were captured and output\r\nto a file on HOST1.\r\nApril 2022\r\nAdditional web shells are created on HOST1 (T1505.003 ), and\r\na known malicious IP address interacts with the host (TA0011 ).\r\nA known malicious IP address interacts with access gateway host HOST7.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 9 of 28\n\nTime Event\r\nMay 2022\r\nA known malicious IP address interacted with access gateway host HOST7 (TA0011 ).\r\nAn authentication event for a user is linked to a known malicious IP address in logs on\r\nHOST1. An additional web shell is created on this host (T1505.003 ).\r\nMay 2022\r\nA script on HOST1 was modified by an actor (T1543 ). This script contains functionality\r\nwhich would have scraped data from an internal SQL server.\r\nMay 2022\r\nAn additional log file on HOST1 was last modified (T1070 ). This file contains username and\r\npassword pairs for the organization network, which are believed to be legitimate (T1078 ).\r\nMay 2022\r\nAn additional log file was last modified (T1070 ). This file contains JWTs collected from\r\nHOST1.\r\nMay 2022\r\nAdditional web shells were created on HOST1 (T1505.003 ). On this date, the organization\r\nreported the discovery of a web shell with creation date in April 2022 to ASD’s ACSC\r\nMay 2022 A number of scripts were created on HOST1, including one named Log4jHotPatch.jar.\r\nMay 2022\r\nThe iptables-save command was used to add two open ports to the access gateway host.\r\nThe ports were 9998 and 9999 (T1572 ).\r\nActor Tactics and Techniques\r\nHighlighted below are several tactics and techniques identified during the investigation.\r\nInitial access\r\nT1190  Exploit public facing application\r\nThe group likely exploited RCE, privilege escalation,\r\nand authentication bypass vulnerabilities in the remote access login and identity management product to gain\r\ninitial access to the network.\r\nThis initial access method is considered the most likely due to the following:\r\nThe server was vulnerable to these CVEs at the time;\r\nAttempts to exploit these vulnerabilities from known actor infrastructure; and\r\nThe first known internal malicious activity occurred shortly after attempted exploitation attempts were\r\nmade.\r\nExecution\r\nT1059.004  Command and Scripting Interpreter: Unix Shell\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 10 of 28\n\nThe group successfully exploited the above vulnerabilities may have been able to run commands in a Unix shell\r\navailable on the affected appliance.\r\nComplete details of the commands run by actors cannot be provided as they were not logged by the appliance.\r\nPersistence\r\nT1505.003  Server Software Component: Web Shell\r\nActors deployed several web shells on the affected appliance. It is possible that multiple distinct actors\r\ndeployed web shells, but that only a smaller number of actors conducted activity using these web shells.\r\nWeb shells would have allowed for arbitrary command execution by the actor on the compromised appliances.\r\nPrivilege escalation\r\nT1068  Exploitation for Privilege Escalation\r\nAvailable evidence does not describe the level of privilege attained by actors. However, using web shells, the\r\nactors would have achieved a level of privilege comparable to that of the web server on the compromised\r\nappliance. Vulnerabilities believed to have been present on the compromised appliance\r\nwould have allowed the actors to attain root privileges.\r\nCredential access\r\nT1056.003  Input Capture: Web Portal Capture\r\nEvidence on the compromised appliance showed that the actor had captured several hundred username-password pairs, in clear text, which are\r\nbelieved to be legitimate. It is likely that these were captured using some modification to the genuine\r\nauthentication process which output the credentials to a file.\r\nT1111  Multi-Factor Authentication Interception The actor also captured the value of MFA tokens\r\ncorresponding to legitimate logins. These were likely captured by modifying the genuine authentication process to\r\noutput these values to a file. There is no evidence of compromise of the “secret server’ which\r\nstores the unique values that provide for the security of MFA tokens.\r\nT1040  Network Sniffing\r\nThe actor is believed to have captured JWTs by capturing HTTP traffic on the compromised appliance.\r\nThere is evidence that the utility tcpdump was executed on the compromised appliance, which may have been\r\nhow the actor captured these JWTs.\r\nT1539  Steal Web Session Cookie\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 11 of 28\n\nAs described above, the actor captured JWTs, which are analogous to web session cookies. These could have been\r\nreused by the actor to establish further access.\r\nDiscovery\r\nT1046  Network Service Discovery\r\nThere is evidence that network scanning utility nmap was executed on the compromised appliance to scan other\r\nappliances in the same network segment. This was likely used by the actor to discover other reachable network\r\nservices which might present opportunities for lateral movement.\r\nCollection\r\nAvailable evidence does not reveal how actors collected data or exactly what was collected from\r\nthe compromised appliance or from other systems. However, it is likely that actors had access to all files on the\r\ncompromised appliance, including the captured credentials [T1003 ], MFA token values [T1111 ], and JWTs\r\ndescribed above.\r\nCommand and Control\r\nT1071.001  Application Layer Protocol: Web Protocols\r\nActors used web shells for command and control. Web shell commands would have been passed over\r\nHTTPS using the existing web server on the appliance [T1572 ].\r\nT1001.003  Data Obfuscation: Protocol Impersonation\r\nActors used compromised devices as a launching point\r\nfor attacks that are designed to blend in with legitimate traffic.\r\nDetection and mitigation recommendations\r\nThe ASD’s ACSC strongly recommends implementing the ASD Essential Eight\r\n Controls and associated Strategies to Mitigate Cyber Security Incidents . Below are recommendations for\r\nnetwork security actions that should be taken to detect and prevent intrusions\r\nby APT40, followed by specific mitigations for four key TTPs summarized in Table 1.\r\nDetection\r\nSome of the files identified above were dropped in locations such as C:\\Users\\Public\\* and C:\\Windows\\\r\nTemp\\*. These locations can be convenient spots for writing data as they are usually world writable, that is, all\r\nuser accounts registered in Windows have access to these directories and their subdirectories. Often,\r\nany user can subsequently access these files, allowing opportunities for lateral movement, defense evasion, low-privilege execution and staging for exfiltration.\r\nThe following Sigma rules look for execution from suspicious locations as an indicator of anomalous\r\nactivity. In all instances, subsequent investigation is required to confirm malicious activity and attribution.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 12 of 28\n\nTitle: World Writable Execution - Temp\r\nID: d2fa2d71-fbd0-4778-9449-e13ca7d7505c\r\nDescription: Detect process execution from C:\\ Windows\\Temp.\r\nBackground: This rule looks specifically for execution out of C:\\\r\nWindows\\Temp\\*. Temp is more broadly used by benign applications and thus a lower confidence\r\nmalicious indicator than execution out of other world writable subdirectories in C:\\Windows.\r\nRemoving applications executed by the SYSTEM or NETWORK SERVICE users substantially reduces the\r\nquantity of benign activity selected by this rule.\r\nThis means that the rule may miss malicious executions at a higher privilege level but it is recommended to\r\nuse other rules to determine if a user is attempting to elevate privileges to SYSTEM.\r\nInvestigation:\r\n1. Examine information directly associated with this file execution, such as the user context, execution\r\nintegrity level, immediate follow-on activity and images loaded by the file.\r\n2. Investigate contextual process, network, file and other supporting data on the host to\r\nhelp make an assessment as to whether the activity is malicious.\r\n3. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.\r\nReferences:\r\nProcess Execution from an Unusual Directory\r\nAuthor: ASD’s ACSC\r\nDate: 2024/06/19\r\nStatus: experimental\r\nTags:\r\ntlp.green\r\nclassification.au.official\r\nattack.execution\r\nLog Source:\r\ncategory: process_creation\r\nproduct: windows\r\nDetection:\r\ntemp:\r\nImage|startswith: 'C:\\\\Windows\\\\Temp\\\\'\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 13 of 28\n\ncommon_temp_path:\r\nImage|re|ignorecase: 'C:\\\\Windows\\\\Temp\\\\\\{[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}\\}\\\\'\r\nsystem_user:\r\nUser:\r\n'SYSTEM'\r\n'NETWORK SERVICE'\r\ndismhost:\r\nImage|endswith: 'dismhost.exe' \r\nknown_parent:\r\nParentImage|endswith:\r\n'\\\\esif_uf.exe'\r\n'\\\\vmtoolsd.exe'\r\n'\\\\cwainstaller.exe'\r\n'\\\\trolleyexpress.exe'\r\ncondition: temp and not (common_temp_path or system_user or dismhost or known_parent)\r\nFalse positives:\r\nAllowlist auditing applications have been observed running executables from Temp.\r\nTemp will legitimately contain an array of setup applications and launchers, so it will be worth considering\r\nhow prevalent this behavior is on a monitored network (and whether or not it can be allowlisted) before\r\ndeploying this rule.\r\nLevel: low\r\nTitle: World Writable Execution - Non-Temp System Subdirectory\r\nID: 5b187157-e892-4fc9-84fc-aa48aff9f997\r\nDescription: Detect process execution from a world writable location in a subdirectory of the Windows OS install\r\nlocation.\r\nBackground:\r\nThis rule looks specifically for execution out of world writable directories within C:\\ and particularly\r\nC:\\Windows\\*, with the exception of C:\\Windows\\Temp (which is more broadly used by benign applications and\r\nthus a lower confidence malicious indicator).\r\nAppData folders are excluded if a file is run as SYSTEM - this is a benign way in which many temporary\r\napplication files are executed.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 14 of 28\n\nAfter completing an initial network baseline and identifying known benign executions from these locations, this\r\nrule should rarely fire.\r\nInvestigation:\r\n1. Examine information directly associated with this file execution, such as the user context, execution\r\nintegrity level, immediate follow-on activity and images loaded by the file.\r\n2. Investigate contextual process, network, file and other supporting data on the host to help make an\r\nassessment as to whether the activity is malicious.\r\n3. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is\r\nlegitimate.\r\nReferences:\r\nmattifestation / WorldWritableDirs.txt\r\nProcess Execution from an Unusual Directory\r\nAuthor: ASD’s ACSC\r\nDate: 2024/06/19\r\nStatus: experimental\r\nTags:\r\ntlp.green\r\nclassification.au.official\r\nattack.execution\r\nLog source:\r\ncategory: process_creation\r\nproduct: windows\r\nDetection:\r\nwritable_path:\r\nImage|contains:\r\n':\\\\$Recycle.Bin\\\\'\r\n':\\\\AMD\\\\Temp\\\\'\r\n':\\\\Intel\\\\'\r\n':\\\\PerfLogs\\\\'\r\n':\\\\Windows\\\\addins\\\\'\r\n':\\\\Windows\\\\appcompat\\\\'\r\n':\\\\Windows\\\\apppatch\\\\'\r\n':\\\\Windows\\\\AppReadiness\\\\'\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 15 of 28\n\n':\\\\Windows\\\\bcastdvr\\\\'\r\n':\\\\Windows\\\\Boot\\\\'\r\n':\\\\Windows\\\\Branding\\\\'\r\n':\\\\Windows\\\\CbsTemp\\\\'\r\n':\\\\Windows\\\\Containers\\\\'\r\n':\\\\Windows\\\\csc\\\\'\r\n':\\\\Windows\\\\Cursors\\\\'\r\n':\\\\Windows\\\\debug\\\\'\r\n':\\\\Windows\\\\diagnostics\\\\'\r\n':\\\\Windows\\\\DigitalLocker\\\\'\r\n':\\\\Windows\\\\dot3svc\\\\'\r\n':\\\\Windows\\\\en-US\\\\'\r\n':\\\\Windows\\\\Fonts\\\\'\r\n':\\\\Windows\\\\Globalization\\\\'\r\n':\\\\Windows\\\\Help\\\\'\r\n':\\\\Windows\\\\IdentityCRL\\\\'\r\n':\\\\Windows\\\\IME\\\\'\r\n':\\\\Windows\\\\ImmersiveControlPanel\\\\'\r\n':\\\\Windows\\\\INF\\\\'\r\n':\\\\Windows\\\\intel\\\\'\r\n':\\\\Windows\\\\L2Schemas\\\\'\r\n':\\\\Windows\\\\LiveKernelReports\\\\'\r\n':\\\\Windows\\\\Logs\\\\'\r\n':\\\\Windows\\\\media\\\\'\r\n':\\\\Windows\\\\Migration\\\\'\r\n':\\\\Windows\\\\ModemLogs\\\\'\r\n':\\\\Windows\\\\ms\\\\'\r\n':\\\\Windows\\\\OCR\\\\'\r\n':\\\\Windows\\\\panther\\\\'\r\n':\\\\Windows\\\\Performance\\\\'\r\n':\\\\Windows\\\\PLA\\\\'\r\n':\\\\Windows\\\\PolicyDefinitions\\\\'\r\n':\\\\Windows\\\\Prefetch\\\\'\r\n':\\\\Windows\\\\PrintDialog\\\\'\r\n':\\\\Windows\\\\Provisioning\\\\'\r\n':\\\\Windows\\\\Registration\\\\CRMLog\\\\'\r\n':\\\\Windows\\\\RemotePackages\\\\'\r\n':\\\\Windows\\\\rescache\\\\'\r\n':\\\\Windows\\\\Resources\\\\'\r\n':\\\\Windows\\\\SchCache\\\\'\r\n':\\\\Windows\\\\schemas\\\\'\r\n':\\\\Windows\\\\security\\\\'\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 16 of 28\n\n':\\\\Windows\\\\ServiceState\\\\'\r\n':\\\\Windows\\\\servicing\\\\'\r\n':\\\\Windows\\\\Setup\\\\'\r\n':\\\\Windows\\\\ShellComponents\\\\'\r\n':\\\\Windows\\\\ShellExperiences\\\\'\r\n':\\\\Windows\\\\SKB\\\\'\r\n':\\\\Windows\\\\TAPI\\\\'\r\n':\\\\Windows\\\\Tasks\\\\'\r\n':\\\\Windows\\\\TextInput\\\\'\r\n':\\\\Windows\\\\tracing\\\\'\r\n':\\\\Windows\\\\Vss\\\\'\r\n':\\\\Windows\\\\WaaS\\\\'\r\n':\\\\Windows\\\\Web\\\\'\r\n':\\\\Windows\\\\wlansvc\\\\'\r\n':\\\\Windows\\\\System32\\\\Com\\\\dmp\\\\'\r\n':\\\\Windows\\\\System32\\\\FxsTmp\\\\'\r\n':\\\\Windows\\\\System32\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\'\r\n':\\\\Windows\\\\System32\\\\Speech\\\\'\r\n':\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\'\r\n':\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\'\r\n':\\\\Windows\\\\System32\\\\spool\\\\SERVERS\\\\'\r\n':\\\\Windows\\\\System32\\\\Tasks_Migrated\\\\Microsoft\\\\Windows\\\\PLA\\\\System\\\\'\r\n':\\\\Windows\\\\System32\\\\Tasks\\\\'\r\n':\\\\Windows\\\\SysWOW64\\\\Com\\\\dmp\\\\'\r\n':\\\\Windows\\\\SysWOW64\\\\FxsTmp\\\\'\r\n':\\\\Windows\\\\SysWOW64\\\\Tasks\\\\'\r\nappdata:\r\nImage|contains: '\\\\AppData\\\\'\r\nUser: 'SYSTEM'\r\ncondition: writable_path and not appdata\r\nFalse positives:\r\nAllowlist auditing applications have been observed running executables from these directories.\r\nIt is plausible that scripts and administrative tools used in the monitored environment(s) may be located in one of\r\nthese directories and should be addressed on a case-by-case basis.\r\nLevel: high\r\nTitle: World Writable Execution - Users\r\nID: 6dda3843-182a-4214-9263-925a80b4c634\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 17 of 28\n\nDescription: Detect process execution from C:\\Users\\Public\\* and other world writable folders within Users.\r\nBackground:\r\nAppData folders are excluded if a file is run as SYSTEM - this is a benign way in which many temporary\r\napplication files are executed.\r\nInvestigation:\r\n1. Examine information directly associated with this file execution, such as the user context, execution\r\nintegrity level, immediate follow-on activity and images loaded by the file.\r\n2. Investigate contextual process, network, file and other supporting data on the host to help make an\r\nassessment as to whether the activity is malicious.\r\n3. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is\r\nlegitimate.\r\nReferences:\r\nProcess Execution from an Unusual Directory\r\nAuthor: ASD’s ACSC\r\nDate: 2024/06/19\r\nStatus: experimental\r\nTags:\r\ntlp.green\r\nclassification.au.official\r\nattack.execution\r\nLog source:\r\ncategory: process_creation\r\nproduct: windows\r\nDetection:\r\nusers:\r\nImage|contains:\r\n':\\\\Users\\\\All Users\\\\'\r\n':\\\\Users\\\\Contacts\\\\'\r\n':\\\\Users\\\\Default\\\\'\r\n':\\\\Users\\\\Public\\\\'\r\n':\\\\Users\\\\Searches\\\\'\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 18 of 28\n\nappdata:\r\nImage|contains: '\\\\AppData\\\\'\r\nUser: 'SYSTEM'\r\ncondition: users and not appdata\r\nFalse positives:\r\nIt is plausible that scripts and administrative tools used in the monitored environment(s) may be located in Public\r\nor a subdirectory and should be addressed on a case-by-case basis.\r\nLevel: medium\r\nMitigations\r\nLogging\r\nDuring ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative\r\nefforts is a lack of comprehensive and historical logging information across a number of areas including web\r\nserver request logs, Windows event logs and internet proxy logs.\r\nASD’s ACSC recommends reviewing and implementing\r\ntheir guidance on Windows Event Logging and Forwarding  including the configuration files and scripts in\r\nthe Windows Event Logging Repository  and the\r\nInformation Security Manual’s Guidelines for System Monitoring , to include centralizing logs and\r\nretaining logs for a suitable period.\r\nPatch Management\r\nPromptly patch all internet exposed devices and services, including web servers, web applications, and remote\r\naccess gateways. Consider implementing a centralized patch management system to automate and expedite the\r\nprocess. ASD’s ACSC recommend implementation of the ISM’s Guidelines for System Management ,\r\nspecifically, the System Patching controls where applicable.\r\nMost exploits utilized by the actor were publicly known and had patches or mitigations available.\r\nOrganizations should ensure that security patches or mitigations are applied to internet facing infrastructure within\r\n48 hours, and where possible, use the latest versions of software and operating systems.\r\nNetwork Segmentation\r\nNetwork segmentation can make it significantly more difficult for adversaries to locate and gain access to an\r\norganizations sensitive data. Segment networks to limit or block lateral movement by denying traffic between\r\ncomputers unless required. Important servers such as Active Directory and other authentication servers should\r\nonly be able to be administered from a limited number of intermediary servers or “jump servers.” These servers\r\nshould be closely monitored, be well secured and limit which users and devices are able to connect to them.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 19 of 28\n\nRegardless of instances identified where lateral movement is prevented, additional\r\nnetwork segmentation could have further limited the amount of data the actors were able to access and extract.\r\nAdditional Mitigations\r\nThe authoring agencies also recommend the following mitigations to combat APT40 and others’ use of\r\nthe TTPs below.\r\nDisable unused or unnecessary network services, ports and protocols.\r\nUse well-tuned Web application firewalls (WAFs) to protect webservers and applications.\r\nEnforce least privilege to limit access to servers, file shares, and other resources.\r\nUse multi-factor authentication (MFA) and managed service accounts to make credentials harder to crack\r\nand reuse. MFA should be applied to all internet accessible remote access services, including:\r\nWeb and cloud-based email;\r\nCollaboration platforms;\r\nVirtual private network connections; and\r\nRemote desktop services.\r\nReplace end-of-life equipment.\r\nMitigation Strategies/Techniques\r\nTTP Essential Eight Mitigation Strategies ISM Controls\r\nInitial Access\r\nT1190\r\nExploitation of Public-Facing Application\r\nPatch applications\r\nPatch operating systems\r\nMulti-factor authentication\r\nApplication control\r\nISM-0140\r\nISM-1698\r\nISM-1701\r\nISM-1921\r\nISM-1876\r\nISM-1877\r\nISM-1905\r\nExecution\r\nT1059\r\nCommand and Scripting Interpreter\r\nApplication control\r\nRestrict Microsoft Office macros\r\nRestrict administrative privileges\r\nISM-0140\r\nISM-1490\r\nISM-1622\r\nISM-1623\r\nISM-1657\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 20 of 28\n\nTTP Essential Eight Mitigation Strategies ISM Controls\r\nISM-1890\r\nPersistence\r\nT1505.003\r\nServer Software Component: Web Shell\r\nApplication Control\r\nRestrict administrative privileges\r\nISM-0140\r\nISM-1246\r\nISM-1746\r\nISM-1249\r\nISM-1250\r\nISM-1490\r\nISM-1657\r\nISM-1871\r\nInitial Access / Privilege\r\nEscalation / Persistence\r\nT1078\r\nValid Accounts\r\nPatch operating systems\r\nMulti-factor authentication\r\nRestrict administrative privileges\r\nApplication control\r\nUser application hardening\r\nISM-0140\r\nISM-0859\r\nISM-1546\r\nISM-1504\r\nISM-1679\r\nFor additional general detection and mitigation advice, please consult the Mitigations and Detection sections on\r\nthe MITRE ATT\u0026CK technique web page for each of the techniques identified in the MITRE ATT\u0026CK summary\r\nat the end of this advisory.\r\nReporting\r\nAustralian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity\r\nincidents and to access alerts and advisories.\r\nCanadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca .\r\nNew Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.\r\nUnited Kingdom organizations: report a significant cyber security incident at National Cyber Security Centre\r\n(monitored 24 hours) or, for urgent assistance, call 03000 200 973.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 21 of 28\n\nU.S. organizations: report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov\r\n or (888) 282-0870 and/or to the FBI via your local FBI field office, the FBI’s 24/7 CyWatch at (855) 292-3937,\r\nor CyWatch@fbi.gov . When available, please include the following information regarding the incident: date,\r\ntime, and location of the incident; type of activity; number of people affected; type of equipment used for the\r\nactivity; the name of the submitting company or organization; and a designated point of contact.\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. The authoring agencies do\r\nnot endorse any commercial entity, product, company, or service, including any entities, products, or services\r\nlinked within this document. Any reference to specific commercial entities, products, processes, or services by\r\nservice mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation,\r\nor favoring by the authoring agencies.\r\nMITRE ATT\u0026CK – Historical APT40 Tradecraft of Interest\r\nReconnaissance (TA0043)\r\nSearch Victim-Owned Websites [T1594]  \r\nGather Victim Identity Information: Credentials\r\n[T1589.001] \r\nActive Scanning: Vulnerability Scanning\r\n[T1595.002] \r\nGather Victim Host Information [T1592]\r\nSearch Open Websites/Domains: Search Engines\r\n[T1593.002]\r\nGather Victim Network Information: Domain\r\nProperties [T1590.001]\r\nGather Victim Identity Information: Email Addresses\r\n[T1589.002]\r\n \r\nResource Development (TA0042)\r\nAcquire Infrastructure: Domains [T1583.001]   Acquire Infrastructure [T1583]\r\nAcquire Infrastructure: DNS Server [T1583.002]   Compromise Accounts [T1586]\r\nDevelop Capabilities: Code Signing Certificates\r\n[T1587.002] \r\nCompromise Infrastructure [T1584]\r\nDevelop Capabilities: Digital Certificates [T1587.003]  Develop Capabilities: Malware [T1587.001]\r\nObtain Capabilities: Code Signing Certificates\r\n[T1588.003]\r\nEstablish Accounts: Cloud Accounts\r\n[T1585.003]\r\nCompromise Infrastructure: Network Devices\r\n[T1584.008]\r\nObtain Capabilities: Digital Certificates\r\n[T1588.004]\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 22 of 28\n\nInitial Access (TA0001)\r\nValid Accounts [T1078]  Phishing [T1566]\r\nValid Accounts: Default Accounts [T1078.001]   Phishing: Spearphishing Attachment [T1566.001]  \r\nValid Accounts: Domain Accounts [T1078.002]   Phishing: Spearphishing Link [T1566.002]\r\nExternal Remote Services [T1133] Exploit Public-Facing Application [T1190]\r\nDrive-by Compromise [T1189]   \r\nExecution (TA0002)\r\nWindows Management Instrumentation [T1047]  \r\nCommand and Scripting Interpreter: Python\r\n[T1059.006] \r\nScheduled Task/Job: At [T1053.002] \r\nCommand and Scripting Interpreter: JavaScript\r\n[T1059.007] \r\nScheduled Task/Job: Scheduled Task [T1053.005]   Native API [T1106] \r\nCommand and Scripting Interpreter [T1059]   Inter-Process Communication [T1559] \r\nCommand and Scripting Interpreter: Windows Command\r\nShell [T1059.003] \r\nSystem Services: Service Execution\r\n[T1569.002]  \r\nCommand and Scripting Interpreter: PowerShell\r\n[T1059.001] \r\nExploitation for Client Execution [T1203]  \r\nCommand and Scripting Interpreter: Visual Basic\r\n[T1059.005] \r\nUser Execution: Malicious File [T1204.002]  \r\nCommand and Scripting Interpreter: Unix Shell\r\n[T1059.004]\r\nCommand and Scripting Interpreter: Apple\r\nScript [T1059.002]\r\nScheduled Task/Job: Cron [T1053.003] Software Deployment Tools [T1072]\r\nPersistence (TA0003)\r\nValid Accounts [T1078]  Server Software Component: Web Shell [T1505.003] \r\nOffice Application Startup: Office Template\r\nMacros [T1137.001]\r\nCreate or Modify System Process: Windows Service\r\n[T1543.003] \r\nScheduled Task/Job: At [T1053.002] \r\nBoot or Logon Autostart Execution: Registry Run Keys /\r\nStartup Folder [T1547.001] \r\nScheduled Task/Job: Scheduled Task\r\n[T1053.005]  \r\nBoot or Logon Autostart Execution: Shortcut Modification\r\n[T1547.009] \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 23 of 28\n\nPersistence (TA0003)\r\nExternal Remote Services [T1133] \r\nHijack Execution Flow: DLL Search Order Hijacking\r\n[T1574.001] \r\nScheduled Task/Job: Cron [T1053.003]   Hijack Execution Flow: DLL Side-Loading [T1574.002] \r\nAccount Manipulation [T1098] Valid Accounts: Cloud Accounts [T1078.004]\r\nValid Accounts: Domain Accounts\r\n[T1078.002]\r\n \r\nPrivilege Escalation (TA0004)\r\nScheduled Task/Job: At [T1053.002] \r\nCreate or Modify System Process: Windows Service\r\n[T1543.003] \r\nScheduled Task/Job: Scheduled Task [T1053.005]\r\n \r\nBoot or Logon Autostart Execution: Registry Run Keys /\r\nStartup Folder [T1547.001] \r\nProcess Injection: Thread Execution Hijacking\r\n[T1055.003] \r\nBoot or Logon Autostart Execution: Shortcut\r\nModification [T1547.009] \r\nProcess Injection: Process Hollowing\r\n[T1055.012]\r\nHijack Execution Flow: DLL Search Order Hijacking\r\n[T1574.001]\r\nValid Accounts: Domain Accounts [T1078.002] Exploitation for Privilege Escalation [T1068]\r\nAccess Token Manipulation: Token\r\nImpersonation/Theft [T1134.001]\r\nEvent Triggered Execution: Unix Shell Configuration\r\nModification [T1546.004]\r\nProcess Injection: Dynamic-link Library Injection\r\n[T1055.001]\r\nValid Accounts: Domain Accounts [T1078.002]\r\nValid Accounts: Local Accounts [T1078.003]  \r\nDefense Evasion (TA0005)\r\nRootkit [T1014]  Indirect Command Execution [T1202] \r\nObfuscated Files or Information [T1027]\r\n \r\nSystem Binary Proxy Execution: Mshta [T1218.005] \r\nObfuscated Files or Information:\r\nSoftware Packing [T1027.002] \r\nSystem Binary Proxy Execution: Regsvr32 [T1218.010] \r\nObfuscated Files or Information:\r\nSteganography [T1027.003] \r\nSubvert Trust Controls: Code Signing [T1553.002] \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 24 of 28\n\nDefense Evasion (TA0005)\r\nObfuscated Files or Information: Compile\r\nAfter Delivery [T1027.004] \r\nFile and Directory Permissions Modifications: Linux and Mac\r\nFile and Directory Permissions Modification [T1222.002]  \r\nMasquerading: Match Legitimate Name\r\nor Location [T1036.005] \r\nVirtualisation/Sandbox Evasion: System Checks [T1497.001] \r\nProcess Injection: Thread Execution\r\nHijacking [T1055.003]\r\nMasquerading [T1036]\r\nReflective Code Loading [T1620]\r\nImpair Defences: Disable or Modify System Firewall\r\n[T1562.004] \r\nProcess Injection: Process Hollowing\r\n[T1055.012] \r\nHide Artifacts: Hidden Files and Directories [T1564.001] \r\nIndicator Removal: File Deletion\r\n[T1070.004]  \r\nHide Artifacts: Hidden Window [T1564.003]  \r\nIndicator Removal: Timestomp\r\n[T1070.006]  \r\nHijack Execution Flow: DLL Search Order Hijacking\r\n[T1574.001] \r\nIndicator Removal: Clear Windows Event\r\nLogs [T1070.001]\r\nHijack Execution Flow: DLL Side-Loading [T1574.002] \r\nModify Registry [T1112]  Web Service [T1102] \r\nDeobfuscate/Decode Files or Information\r\n[T1140] \r\nMasquerading: Masquerade Task or Service [T1036.004]\r\nImpair Defenses [T1562]  \r\nCredential Access (TA0006)\r\nOS Credential Dumping: LSASS Memory\r\n[T1003.001]  \r\nUnsecured Credentials: Credentials in Files [T1552.001]\r\nOS Credential Dumping: NTDS\r\n[T1003.003]  \r\nBrute Force: Password Guessing [T1110.001]\r\nNetwork Sniffing [T1040]  Forced Authentication [T1187]\r\nCredentials from Password Stores: Keychain\r\n[T1555.001]\r\nSteal or Forge Kerberos Tickets: Kerberoasting [T1558.003] \r\nInput Capture: Keylogging [T1056.001]  Multi-Factor Authentication Interception [T1111]\r\nSteal Web Session Cookie [T1539]  Steal Application Access Token [T1528]\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 25 of 28\n\nCredential Access (TA0006)\r\nExploitation for Credential Access [T1212] Brute Force: Password Cracking [T1110.002]\r\nInput Capture: Web Portal Capture\r\n[T1056.003]\r\nOS Credential Dumping: DCSync [T1003.006]\r\nCredentials from Password Stores [T1555] \r\nCredentials from Password Stores: Credentials from Web\r\nBrowsers [T1555.003]\r\nDiscovery (TA0007)\r\nSystem Service Discovery [T1007]  System Information Discovery [T1082]  \r\nApplication Window Discovery [T1010]   Account Discovery: Local Account [T1087.001]  \r\nQuery Registry [T1012] \r\nSystem Information Discovery, Technique T1082 -\r\nEnterprise | MITRE ATT\u0026CK®\r\nFile and Directory Discovery [T1083] System Time Discovery [T1124] \r\nNetwork Service Discovery [T1046]  System Owner/User Discovery [T1033] \r\nRemote System Discovery [T1018]  Domain Trust Discovery [T1482] \r\nAccount Discovery: Email Account [T1087.003] Account Discovery: Domain Account [T1087.002]\r\nSystem Network Connections Discovery [T1049] \r\nVirtualisation/Sandbox Evasion: System Checks\r\n[T1497.001] \r\nProcess Discovery [T1057]  Software Discovery [T1518] \r\nPermission Groups Discovery: Domain Groups\r\n[T1069.002] \r\nNetwork Share Discovery, Technique T1135 -\r\nEnterprise | MITRE ATT\u0026CK®\r\nSystem Network Configuration Discovery: Internet\r\nConnection Discovery [T1016.001]\r\n \r\nLateral Movement (TA0008)\r\nRemote Services: Remote Desktop Protocol\r\n[T1021.001] \r\nRemote Services [T1021]\r\nRemote Services: SMB/Windows Admin Shares\r\n[T1021.002] \r\nUse Alternate Authentication Material: Pass the Ticket\r\n[T1550.003]\r\nRemote Services: Windows Remote Management\r\n[T1021.006] \r\nLateral Tool Transfer [T1570] \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 26 of 28\n\nCollection (TA0009)\r\nData from Local System [T1005]  Archive Collected Data: Archive via Library [T1560.002]\r\nData from Network Shared Drive [T1039]   Email Collection: Remote Email Collection [T1114.002] \r\nInput Capture: Keylogging [T1056.001]  Clipboard Data [T1115] \r\nAutomated Collection [T1119] Data from Information Repositories [T1213]\r\nInput Capture: Web Portal Capture [T1056.003] Data Staged: Remote Data Staging [T1074.002] \r\nData Staged: Local Data Staging [T1074.001]  Archive Collected Data [T1560]\r\nEmail Collection [T1114]  \r\nExfiltration (TA0010)\r\nExfiltration Over C2 Channel\r\n[T1041]  \r\nExfiltration Over Alternative Protocol: Exfiltration Over Asymmetric\r\nEncrypted Non-C2 Protocol [T1048.002]\r\nExfiltration Over Alternative\r\nProtocol [T1048] \r\nExfiltration Over Web Service: Exfiltration to Cloud Storage\r\n[T1567.002]\r\nCommand and Control (TA0011)\r\nData Obfuscation: Protocol Impersonation [T1001.003] \r\nWeb Service: Dead Drop Resolver [T1102.001]\r\n \r\nCommonly Used Port [T1043] \r\nWeb Service: One-way Communication\r\n[T1102.003]\r\nApplication Layer Protocol: Web Protocols [T1071.001]  Ingress Tool Transfer [T1105] \r\nApplication Layer Protocol: File Transfer Protocols\r\n[T1071.002]\r\nProxy: Internal Proxy [T1090.001]\r\nProxy: External Proxy [T1090.002]  Non-Standard Port [T1571] \r\nProxy: Multi-hop Proxy [T1090.003]  Protocol Tunnelling [T1572] \r\nWeb Service: Bidirectional Communication [T1102.002]  Encrypted Channel [T1573] \r\nEncrypted Channel: Asymmetric Cryptography\r\n[T1573.002]\r\nIngress Tool Transfer [T1105]\r\nProxy, Technique T1090 - Enterprise | MITRE\r\nATT\u0026CK®\r\n \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 27 of 28\n\nImpact (TA0040)\r\nService Stop [T1489]  Disk Wipe [T1561]\r\nSystem Shutdown/Reboot [T1529]  Resource Hijacking [T1496] \r\nNotes\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a" ], "report_names": [ "aa24-190a" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434773, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d4c3fb7ebf839c2694a88d5afaa44da3caf3552b.pdf", "text": "https://archive.orkl.eu/d4c3fb7ebf839c2694a88d5afaa44da3caf3552b.txt", "img": "https://archive.orkl.eu/d4c3fb7ebf839c2694a88d5afaa44da3caf3552b.jpg" } }