Security News > 2024 > July > Chinese APT40 hackers hijack SOHO routers to launch attacks

A joint advisory from international cybersecurity agencies and law enforcement warns of the tactics used by the Chinese state-sponsored APT 40 hacking group and their hijacking of SOHO routers to launch cyberespionage attacks.

Previously, APT40 was linked to a wave of attacks targeting over 250,000 Microsoft Exchange servers using the ProxyLogon vulnerabilities and campaigns involving exploiting flaws in widely used software, such as WinRAR. APT40 activity overview.

"Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) of new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability," reads the joint advisory authored by Australia's ACSC. "APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies' countries, looking for opportunities to compromise its targets."

After breaching a server or networking device, the Chinese hackers deploy web shells for persistence using Secure Socket Funnelling and then use valid credentials captured via Kerberoasting along with RDP for lateral movement through a network.

These hijacked devices act as network proxies used by APT40 to launch attacks while blending in with legitimate traffic originating from the hijacked router.

Other Chinese APT groups are also known to utilize operational relay box networks, which are made up of hijacked EoL routers and IoT devices.

News URL

https://www.bleepingcomputer.com/news/security/chinese-apt40-hackers-hijack-soho-routers-to-launch-attacks/