TLP: CLEAR
Yesterday, CISA, in partnership with Australia and other U.S. and international partners, released a joint cyber advisory, People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action, that outlines activity and tradecraft of a state-sponsored cyber group associated with the People’s Republic of China (PRC) Ministry of State Security (MSS). The advisory is based on current, shared assessments of advanced persistent threat group APT 40, and recent Australian Signals Directorate’s Australian Cyber Security Centre (ASD ACSC) incident response investigations.
To help cybersecurity practitioners identify, prevent, and remediate APT 40 intrusions against their own networks, the advisory provides a couple significant case studies of this adversary’s malicious activity against victim networks. Obtained from ACSC’s incident response, each case study provides findings on access that was compromised, victim’s impacted internal hosts, investigation timeline, and specific tactics, techniques, and procedures (TTPs) used by APT 40.
Recommended mitigations to reduce risk of compromise by similar activity include maintaining comprehensive and historical logging information, prioritizing patching for all internet exposed devices and services, and segmenting networks to limit or block lateral movement. Additional mitigations to combat APT 40 and other malicious actors’ use of the TTPs in this advisory include:
- Disable unused or unnecessary network services, ports and protocols.
- Use well-tuned Web application firewalls to protect web servers and applications.
- Enforce least privilege to limit access to servers, file shares, and other resources.
- Replace end-of-life equipment.
- Use multi-factor authentication and managed service accounts to make credentials harder to crack and reuse.
Software vendors are urged to incorporate secure by design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers.
All cybersecurity practitioners are encouraged to review the joint advisory and apply recommended mitigations.
Multi-State Information Sharing and Analysis Center (MS-ISAC)
Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
24×7 Security Operations Center
SOC@cisecurity.org – 1-866-787-4722
TLP: CLEAR
Information may be distributed without restriction, subject to standard copyright rules.
Please send all opt out requests to info@cisecurity.org.
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . . . .