CISA and Partners join ASD’S ACSC to Release Advisory on PRC State-Sponsored Group, APT 40
How are Vulnerabilities Rated?
CISA has partnered with the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) and other international partners to issue an advisory: People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action.
These vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
“In mid-August 2022, the ASD’s ACSC notified the organization that a confirmed malicious IP believed to be affiliated with a state-sponsored cyber group had interacted with the organization’s computer networks between at least July and August. The compromised device probably belonged to a small business or home user.”
The Cybersecurity and Infrastructure Security Agency (CISA) has partnered with the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) to issue an advisory: People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action.
These organizations also collaborated with ASD's ACSC:
- The National Security Agency (NSA)
- The Federal Bureau of Investigation (FBI)
- The United Kingdom’s National Cyber Security Centre (NCSC-UK)
- The Canadian Centre for Cyber Security (CCCS)
- The New Zealand National Cyber Security Centre (NCSC-NZ)
- The German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV)
- The Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC)
- Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA)
The advisory is based on current ACSC-led incident response investigations and shared understanding of a PRC state-sponsored cyber group, APT40—also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk. APT 40 has previously targeted organizations in various countries, including Australia and the United States.
APT40 is known for its ability to quickly adapt and transform exploit proofs-of-concept (POCs) for new vulnerabilities, deploying them immediately against targeted networks with the relevant infrastructure. The group consistently performs reconnaissance on networks of interest, including those within the countries of the authoring agencies, seeking opportunities for compromise. This ongoing reconnaissance enables APT40 to detect vulnerable, end-of-life, or unmaintained devices on these networks and swiftly execute exploits. The group has successfully exploited vulnerabilities dating back to 2017.
In a published case study, ASD’s ACSC investigators stated:
“In mid-August 2022, the ASD’s ACSC notified the organization that a confirmed malicious IP believed to be affiliated with a state-sponsored cyber group had interacted with the organization’s computer networks between at least July and August. The compromised device probably belonged to a small business or home user.”
APT 40 identifies new exploits within widely used public software to target the infrastructure of the associated vulnerability including the following:
Vendor/Product: Apache Log4J
Description:
Remote Code Execution Vulnerability
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
Impact:
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Source: CVE-2021-44228
Max Severity: Critical
CVSS Score: 10.0
Mitigation:
For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.
Vendor/Product: Atlassian Confluence Server and Data Center
Description:
Object Graph Navigation Language (OGNL) Injection Vulnerability
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Impact:
An OGNL injection vulnerability exists that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
Source: CVE-2021-26084
Max Severity: Critical
CVSS Score: 9.8
Mitigation:
Apply updates per vendor instructions.
Vendor/Product: Microsoft Exchange
Description:
Microsoft Exchange Server Security Feature Bypass Vulnerability
This vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 versions before 15.0.1497.15, Exchange 2016 CU19 versions before 15.1.2176.12, Exchange 2016 CU20 versions before 15.1.2242.5, Exchange 2019 CU8 versions before 15.2.792.13, and Exchange 2019 CU9 versions before 15.2.858.9.
Impact:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of mailbox export. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
Source: CVE-2021-31207
Max Severity: High
CVSS Score: 7.2
Mitigation:
Microsoft has issued an update to correct this vulnerability. More details can be found at:
https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-31207
Vendor/Product: Microsoft Exchange
Description:
Microsoft Exchange Server Remote Code Execution Vulnerability
This vulnerability on Microsoft Exchange Server allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 versions before 15.0.1497.15, Exchange 2016 CU19 versions before 15.1.2176.12, Exchange 2016 CU20 versions before 15.1.2242.5, Exchange 2019 CU8 versions before 15.2.792.13, and Exchange 2019 CU9 versions before 15.2.858.9.
Impact:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Autodiscover service. The issue results from the lack of proper validation of URI prior to accessing resources. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM.
Source: CVE-2021-34473
Max Severity: Critical
CVSS Score: 9.8
Mitigation:
Microsoft has issued an update to correct this vulnerability. More details can be found at:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
Vendor/Product: Microsoft Exchange
Description:
Microsoft Exchange Server Elevation of Privilege Vulnerability
This vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 versions before 15.0.1497.15, Exchange 2016 CU19 versions before 15.1.2176.12, Exchange 2016 CU20 versions before 15.1.2242.5, Exchange 2019 CU8 versions before 15.2.792.13, and Exchange 2019 CU9 versions before 15.2.858.9.
Impact:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the Powershell service. The issue results from the lack of proper validation of a access token prior to executing the Exchange PowerShell command. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM.
Source: CVE-2021-34523
Max Severity: Critical
CVSS Score: 9.8
Mitigation:
Microsoft has issued an update to correct this vulnerability. More details can be found at:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
