Security News > 2024 > July > Chinese APT40 hackers hijack SOHO routers to launch attacks
A joint advisory from international cybersecurity agencies and law enforcement warns of the tactics used by the Chinese state-sponsored APT 40 hacking group and their hijacking of SOHO routers to launch cyberespionage attacks.
Previously, APT40 was linked to a wave of attacks targeting over 250,000 Microsoft Exchange servers using the ProxyLogon vulnerabilities and campaigns involving exploiting flaws in widely used software, such as WinRAR. APT40 activity overview.
"Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) of new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability," reads the joint advisory authored by Australia's ACSC. "APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies' countries, looking for opportunities to compromise its targets."
After breaching a server or networking device, the Chinese hackers deploy web shells for persistence using Secure Socket Funnelling and then use valid credentials captured via Kerberoasting along with RDP for lateral movement through a network.
These hijacked devices act as network proxies used by APT40 to launch attacks while blending in with legitimate traffic originating from the hijacked router.
Other Chinese APT groups are also known to utilize operational relay box networks, which are made up of hijacked EoL routers and IoT devices.
News URL
Related news
- Mysterious Cyber Attack Took Down 600,000+ Routers in the U.S. (source)
- Hackers Use MS Excel Macro to Launch Multi-Stage Malware Attack in Ukraine (source)
- Chinese hackers breached 20,000 FortiGate systems worldwide (source)
- 20,000 FortiGate appliances compromised by Chinese hackers (source)
- Pakistani Hackers Use DISGOMOJI Malware in Indian Government Cyber Attacks (source)
- Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign (source)
- Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware (source)
- Chinese Cyberspies Employ Ransomware in Attacks for Diversion (source)
- Hackers exploit critical D-Link DIR-859 router flaw to steal passwords (source)
- Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware (source)