Episode 9 -Unmasking APT40 (Leviathan): Tactics, Challenges, and Defense Strategies

Show Notes

Episode Title: "Unmasking APT40: Tactics, Challenges, and Defense Strategies"
Key Takeaways:

APT40 is a sophisticated Chinese state-sponsored cyber espionage group active since 2009.
They target various sectors including academia, aerospace, defense, healthcare, and maritime industries.
APT40 uses advanced tactics such as spear phishing, watering hole attacks, and living off the land binaries (LOLBINS).
Digital forensics faces challenges in detecting APT40 due to their use of legitimate tools and anti-forensics techniques.
Effective defense against APT40 requires a comprehensive, layered security approach.

Engaging Quotes:
"APT40 represents a significant and evolving threat in the cyber landscape. Their sophisticated attacks, large scope targets and state sponsorship make them a formidable adversary." - Clint Marsden
"Defense against groups like APT40 it is not about implementing a single solution. What matters is creating a comprehensive and layered security approach that can adapt to evolving threats." - Clint Marsden

Resources Mentioned:

MITRE ATT&CK Framework: https://attack.mitre.org/
Pyramid of Pain by David J. Bianco: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
NIST Computer Security Incident Handling Guide: https://csrc.nist.gov/pubs/sp/800/61/r2/final
Sysmon (System Monitor): https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Action Points:

Implement robust email security measures, including secure email gateways and employee training.
Keep all systems and software up-to-date to reduce vulnerabilities.
Use multi-factor authentication to protect against credential theft.
Implement network segmentation to limit lateral movement.
Deploy advanced endpoint detection and response (EDR) tools.
Conduct regular threat hunting exercises.
Implement data loss prevention (DLP) solutions.
Develop a comprehensive cloud security strategy.

Transcript

(0:00 - 0:14)
Welcome to Traffic Light Protocol, the Digital Forensics Podcast. I'm your host, Clint Marsden. Today, I'm discussing another advanced persistent threat group with a specific focus on APT40.

(0:14 - 0:49)
Also known as Temp Periscope, Temp Jumper, Leviathan, or Bronze Mohawk, APT40 is a sophisticated cyber espionage group that's been causing significant disruption in the cybersecurity community for many years. And in this episode, we'll explore their tactics, techniques, and procedures, and discuss the digital forensics challenges they present, and examine how you can defend your organization against this threat actor. Let's begin our journey into the shadowy world of APT40.

(0:50 - 3:04)
APT40 is believed to be a Chinese state-sponsored group that's been active since around at least 2009. And intelligence reports suggest that the group likely operates under the direction of the Ministry of State Security, or the MSS. The primary focus of APT40 appears to be gathering intelligence to support China's modernization efforts, particularly in these like academia, aerospace and aviation, biomedical, defense industrial, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia. 

It's worth noting that attributing cybersecurity activities to specific groups or nations is a complex task. And while there's strong evidence linking APT40 to China, the nature of cybersecurity operations means that definitive proof is often elusive. And this challenge of attribution is something that has been tackled by many federal governments, including the Australian government, New Zealand government, the Canadian government, the UK government, and of course the United States government. 

And they have come together to release this week a report on APT40. And it's with my thanks that that formed the basis of this podcast for this particular episode. Now let's get stuck into the core of the discussion today. 

APT40's tactics, techniques, and procedures, or TTPs. And understanding these is what gives us as incident responders and digital forensic analysts a framework and a hypothesis to hunt and investigate and mitigate APT40's activities. Starting with initial access, APT40 relies heavily on spear phishing, and they craft highly convincing emails, often posing as trusted entities relevant to their targets.

(3:04 - 9:06)
So there's an example that they've been known to impersonate maritime or defense industry organizations when targeting companies in those industry verticals. And these emails typically contain malicious attachments or links to compromised websites. And there's an example that we've got from 2017, where APT40 targeted a UK-based engineering company, and they actually sent spear phishing emails purporting to be from a legitimate maritime institution with that email containing attachments, which were loaded with malware and the attachments were disguised as research papers. 

Some more recent attacks that have been reported by the Australian Signals Directorate and Australian Cybersecurity Centre, hereby which I'll refer to as the ASD and ACSC respectively. Beginning in July 2022, an actor was able to test and exploit a custom web application running on a server in the DMZ. This server was then leveraged to enumerate both the network as well as any visible network domains, and compromised credentials are used to query the active directory and exfiltrate data by mounting file shares from multiple machines within the DMZ. 

The actor carried out a Kerber roasting attack in order to obtain some additional network credentials from the server and the group were not observed gaining any additional points of presence in either the DMZ or the internal network. In the second incident, the actor is believed to have used publicly known vulnerabilities to deploy web shells to the compromised appliance from 2002 or April 2022 onwards. Threat actors from the group are assessed to then have attained escalated privileges on these appliances. 

The reality of these two organizations is that they were hacked in ways that could happen to anybody and do happen to anybody on a daily basis. There's a lot of technical debt out there but if you're going to start anywhere, I would suggest securing internet facing devices and servers is a great start. Let's not make it easy for them. 

APT40 also employs watering hole attacks and in this technique they will compromise legitimate websites that their targets are likely to visit and then they'll inject malicious code that infects visitors. In 2018, APT40 were observed compromising the website of a prominent Asian maritime regulatory body. Once they gain a foothold, APT40 uses various persistence mechanisms and they're particularly fond of web shells which allow them to maintain access to compromised web servers and these web shells are often disguised as legitimate files and web shells are inherently difficult to detect without specialized tools. 

But taking it one step further, you need to know what you're looking for and sometimes spend a bit of time doing some network analysis, particularly looking for things like beacons. C2 traffic or command and control traffic is difficult in the way that it operates because it may not be a regular occurrence. It may not be constantly pinging every 30 seconds. 

Some web shells are pinging randomly. What it comes down to is doing a bit of stack analysis, so taking all of that network data, looking for anomalies. There will be results if you sort them in the thousands or tens of thousands. 

These are your generally legitimate traffic. There are things that will appear much less and much less frequently. These are things that you should pull the thread on and see what you can discover. 

There's an old web shell called China Chopper that was first discovered in 2010 and that has actually resurfaced in 2019. A lot of time and money goes into the development of these tools and thread actors are following a mission or an objective just like any other business. They clock in at nine and they clock out at five and they'll take an hour for lunch. 

So that means that on the other side you've got someone else who is sitting behind the keyboard and if they don't need to redo their hard work by rewriting code and changing tools to modify this signature or how they operate and how they can be detected, they will certainly not do it. And what I'm saying is if they're still using old tools, that means we can make things difficult. Following the Pyramid of Pain from David J. Bianco, tooling is still the second highest point of the pyramid with TTPs coming in closely after that. 

So TTPs are at the top of the pyramid and then the next item down is tooling. When it comes to data exfiltration, APT40 is following the standard APT playbook. They will typically compress and encrypt stolen data before sending it out and that makes it harder to detect or understand what has actually been stolen. 

They have been observed using custom tools for this purpose as well as leveraging legitimate cloud storage services. Things like Dropbox or Google Drive to blend in with normal network traffic and they've also been observed using rar.exe to package up the loot that they've stolen. In some cases it is possible to extract the password from memory that was used to encrypt the archive file itself or sometimes if you've got certain logging enabled, particularly with sysmon, you might actually capture it in the command line.

(9:07 - 10:43)
Setting up a hunt looking for evidence of process execution of rar.exe should fight evidence of execution pretty quickly and as I've said process execution can be switched on easily by deploying sysmon and sysmon will give you that additional insight especially for the detection of passwords that are being used in the string if it's being run from the command line. In terms of malware and tools, APT40 employs a mix of custom and publicly available software and they're using a combination of lull bins or living off the land binaries and the lull bins that they've used and this is just a small list are at.exe which is used for scheduling tasks and bitsadmin the background intelligent transfer service and bits was initially developed to deliver windows updates but now it can be used to transfer large files using idle network bandwidth. There's a few more tools and lull bins that APT40 are using and I've included a full list to them in the show notes. 

So with APT40 using lull bins to evade detection, detecting and analyzing APT40's activities does present some challenges for us as investigators so I just want to break them down. The use of legitimate tools and services can make it difficult to distinguish their activities from normal network traffic. For example the use of cloud storage services for data exfiltration can go easily unnoticed with detection systems that many of us are using.

(10:43 - 14:30)
So to detect this it requires eyes on screen, looking for IOCs and seeking to detect unusual patterns rather than just relying on a generic signature. One of my tips here is again using stack analysis to look for things that don't seem right. Looking for large volumes of data being transferred particularly at strange times. 

In the case of APT40 with it being the group being attributed to China we'll be looking for business hours in China and then working backwards to convert that time zone and then looking for evidence of data exfil during those times. APT40 is known for their ability to quickly adapt their tactics like most advanced persistent threat groups. This means that indicators of compromise or IOCs can become outdated rapidly requiring constant updates to our detection rules. 

Now I know that this goes a little bit contrary to talking about the pyramid of pain. I will counter that by saying that sometimes they might have tools that are already created and they will shift over to using those tools using those TTPs using the different network infrastructure that they've had spun up for this particular purpose. One example that I do want to provide is they have been observed changing their phishing templates and malware signatures within just a couple of days of being detected. 

They are probably two great examples of things that are quite easy to modify. Creating a different level of content for phishing email is absolutely trivial using tools like ChatGPT or Claude and in terms of modifying a malware signature they can just put the malware through a crypto and essentially that will just modify the signature and make it fully undetectable until it gets burned. So this is where we need defense in depth. 

It's not just for your controls including security awareness training for staff but also having regular threat hunts and your cyber security team being trained in forensics to identify evidence of an intrusion. While some of APT40's tools are known they're also constantly developing new ones and these custom tools may not be detected by standard antivirus solutions requiring more advanced endpoint detection and response systems and custom Yara rules. The good thing is is that Yara isn't hard to use but you'll likely want to get a few samples of Yara configs just to make it quicker to get started and a lot of security researchers and CTF competitions will generate Yara configs which can help you out here. 

APT40 has been known to employ various anti-forensics techniques to cover their tracks and this includes clearing log files which under Windows you'll see as Event ID 1102 and also using fileless malware that operates entirely in memory which is why it's so important to get a memory dump from compromised systems. APT40's use of encryption for both command and control or C2 communication and data exfil can make it quite challenging to understand the scope and the nature of an attack even if it's detected. What you can see though is the source and destination IP and if you've got NetFlow enabled you also get to see the amount of bytes transferred. 

I love this as an indicator because it's such a good way to identify evidence of data exfiltration. So yes it's true they are advanced that doesn't mean that they're impossible to detect and defend against though and all this means is that we need to employ a range of advanced techniques in response. This includes getting prepared for incidents like what we talked about in the NIST computer incident handling series.

(14:30 - 18:20)
So if you haven't listened to those already take a look there's five episodes of the podcast that talk about incident handling end-to-end. There's a part two for episode three which is just a short one it's only about 10 to 15 minutes and I probably say Sysmon about 20 times in those podcasts and this one and if you haven't deployed it yet take a look. As I said before deploying Sysmon will give you that evidence of process execution and in the instance of raw.exe being used at the command line it can be used to identify the encryption password for the raw archive which will give you an opportunity to then extract what has been zipped up for exfil and will assist you in reporting what has been stolen. 

Once we're prepared we've got an IR plan we've got our tools we've got forensic lab set up and we've got our checklist of evidence to acquire. When you do detect an intrusion and chances are you won't immediately suspect it's APT40 just go ahead and follow your incident response plan. Kick off memory forensics to detect fileless malware perform network traffic analysis to identify unusual patterns even in encrypted traffic and the use of threat intelligence feeds from a trusted threat intelligence partner is also helpful to stay updated on the latest APT tactics. 

So now that we understand the threat that APT40 poses and the challenges in detecting their activities let's discuss how you can defend against them. Let's start off with email security given APT40's reliance on spear phishing using something like a secure email gateway and implementing security awareness training for your employees is absolutely critical. Employees should know what to do when they receive a suspicious email and then also how to report that to the cyber team or the IT team so that that can be remediated then essentially what needs to happen is when an email is reported you then need to sweep the entire organization pull that email from mailboxes so that no one else can click on it and then block the domain. 

As APT40 often exploits known vulnerabilities keeping all systems and software up to date can significantly reduce the attack surface so if you're not assessing your attack surface you're really flying blind. You really want to make sure you're using a vulnerability scanner across the environment and at minimum on your servers and critical infrastructure. This takes us to multi-factor authentication this can protect against the use of stolen credentials which make it harder for APT40 to gain that initial foothold into your network. 

Network segmentation. So by dividing the network into smaller isolated segments you can limit an attacker's ability to move laterally and to access critical assets. I think we're probably due for a podcast on zero trust but doing something like using network segmentation is a good start and just here's a quick one. 

Have you considered using a separate wireless and wired network segment and then for wireless even enforcing wireless client isolation that will separate the individual wireless clients from themselves so then they can't attack each other as well. So if someone does get access to the wireless network really restricts that ability for them to attack legitimate hosts that are using wi-fi. Using an advanced endpoint detection and response tool or EDR can help detect and respond to the type of sophisticated malware that's used by APT40 and having an EDR in place allows you to easily pull forensic artifacts down and then you can sweep for evidence of compromise looking for file hashes and also evidence of execution and basically everything else that's on the sans red and blue posters.

(18:21 - 19:53)
Implementing DLP can help identify and prevent the exfiltration of sensitive data and that's a key goal of APT40's operations and given APT40's use of cloud services for exfiltration having a cloud security strategy in place is incredibly important and I don't think I could cover a cloud security strategy in a month's worth of podcasts. It's a beast but I wanted to call it out and give it some attention. Proactive threat hunting can help identify APT40's activities that might have slipped past other security controls so performing regular threat hunts will not necessarily detect an attack in progress but it can help in shutting the door if there's a draft. 

Time is set for six minutes anyone? We've got to remember that we've got to remember that defense against groups like APT40 it's not about implementing a single solution. What matters is creating a comprehensive and layered security approach that can adapt to evolving threats. As we've explored today APT40 represents a significant and evolving threat in the cyber landscape. 

Their sophisticated attacks, large scope targets and state sponsorship make them a formidable adversary. For digital forensics analysts and incident responders APT40 presents both a challenge and an opportunity. It's a challenge in terms of the sophisticated techniques that are required to detect and analyze their activities but it's also an opportunity to further our knowledge and hopefully detect the intrusion before the attacker can reach their objectives.

(19:54 - 20:25)
Thank you for listening today. I hope you got a lot out of this podcast and I've got a huge chunk of show notes for you for this one including a spreadsheet from MITRE ATT&CK where I've provided tangible artifacts that you can hunt for based on the Leviathan TTPs. I'm also really interested in your feedback. 

Did you get anything out of today's episode? What would you like to hear more of? Feel free to message me on LinkedIn through the show page for TLP the Digital Forensics Podcast. I'll include a link to the page in the show notes. I'm your host of TLP Clint Marsden. 

Bye for now.