Security News > 2024 > July > Chinese APT40 hackers hijack SOHO routers to launch attacks
A joint advisory from international cybersecurity agencies and law enforcement warns of the tactics used by the Chinese state-sponsored APT 40 hacking group and their hijacking of SOHO routers to launch cyberespionage attacks.
Previously, APT40 was linked to a wave of attacks targeting over 250,000 Microsoft Exchange servers using the ProxyLogon vulnerabilities and campaigns involving exploiting flaws in widely used software, such as WinRAR. APT40 activity overview.
"Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) of new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability," reads the joint advisory authored by Australia's ACSC. "APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies' countries, looking for opportunities to compromise its targets."
After breaching a server or networking device, the Chinese hackers deploy web shells for persistence using Secure Socket Funnelling and then use valid credentials captured via Kerberoasting along with RDP for lateral movement through a network.
These hijacked devices act as network proxies used by APT40 to launch attacks while blending in with legitimate traffic originating from the hijacked router.
Other Chinese APT groups are also known to utilize operational relay box networks, which are made up of hijacked EoL routers and IoT devices.
News URL
Related news
- Chinese hackers use new data theft malware in govt attacks (source)
- U.S. DoJ Indicts North Korean Hacker for Ransomware Attacks on Hospitals (source)
- Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware (source)
- Sitting Ducks DNS attacks let hackers hijack over 35,000 domains (source)
- APT41 Hackers Use ShadowPad, Cobalt Strike in Taiwanese Institute Cyber Attack (source)
- Chinese hackers compromised an ISP to deliver malicious software updates (source)
- Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control (source)
- Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs (source)
- Unpatched AVTECH IP Camera Flaw Exploited by Hackers for Botnet Attacks (source)
- Hackers Use Fake GlobalProtect VPN Software in New WikiLoader Malware Attack (source)