20240710003-CISA-Releases-APT40-Advisory (#859)

* 20240510001-F5-Security-Advisory-Addresses-Multiple-Vulnerabilities * Format markdown docs * 20240419003-PuTTY-vulnerability * Format markdown docs * 20240117006-Citrix-Critical-Security-Advisory * Format markdown docs * 20240117006-Citrix-Critical-Security-Advisory * Format markdown docs * 20240514002-Android-Security-Advisory-May-2024 * Format markdown docs * 20240515004-Adobe-Products-Arbitrary-Code-Execution-Multiple-Vulnerabilities * Format markdown docs * 20240515004-Adobe-Products-Arbitrary-Code-Execution-Multiple-Vulnerabilities * Format markdown docs * [May 2024 Security Updates](https://msrc.microsoft.com/update-guide/releaseNote/2024-May) * Format markdown docs * Next.js Vulnerabilities - 20240513002 * 20240517004-Google-Chrome-Arbitrary-Code-Execution-Vulnerabilities * Format markdown docs * 20240514001-Chromium-Visuals-update * Format markdown docs * Apple Security Updates for Multiple Products - 20240515001 * 20240517004-Google-Chrome-Arbitrary-Code-Execution-Vulnerabilities * Format markdown docs * 20240517004-Google-Chrome-Arbitrary-Code-Execution-Vulnerabilities * Format markdown docs * 20240524001-WinRAR-Text-Vulnerability * Format markdown docs * 20240527001-Google-Chrome-ZeroDay * Format markdown docs * 20240604005-SnowFlake-Cyber-Threat-Activity-Targeting-Customer-Accounts * Format markdown docs * 20240604004-SnowFlake-Cyber-Threat-Activity-Targeting-Customer-Accounts * 20240606001-Google-Cloud-Platform(GCP)-Privilege-Escalation-Vulnerability * Format markdown docs * 20240702001-OpenSSH-Critical-Advisory * Format markdown docs * 20240710003-CISA-Releases-APT40-Advisory * 20240710003-CISA-Releases-APT40-Advisory * 20240710003-CISA-Releases-APT40-Advisory * 20240710003-CISA-Releases-APT40-Advisory * Format markdown docs --------- Co-authored-by: TWangmo <TWangmo@users.noreply.github.com> Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> Co-authored-by: Adon Metcalfe <adon.metcalfe@dpc.wa.gov.au> Co-authored-by: adonm <adonm@users.noreply.github.com>
wagov · Jul 10, 2024 · 01eee6d · 01eee6d
1 parent fefb6b0
commit 01eee6d
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/docs/advisories/20240710003-CISA-Releases-APT40-Advisory.md b/docs/advisories/20240710003-CISA-Releases-APT40-Advisory.md
@@ -0,0 +1,26 @@
+# CISA Releases APT40 Advisory - 20240710003
+
+## Overview
+
+CISA in collaboration with the ASD's ACSC and other authoring agencies has released an advisory on [People's Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a) outlining a PRC state-sponsored cyber group's activity.
+
+The Advisory is based on a shared understanding of the threat by the PRC state-sponsored cyber group, which has previously targeted organisations in various countries, including Australia and the United States. An assessment made on the group conducting malicious cyber operations for the PRC Ministry of State Security (MSS) appeared overlapping with the group tracked as Advanced Persistent Threat (APT) 40, Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting. This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department.
+
+It is believed that the techniques used by the APT 40, possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations.
+
+## What is vulnerable?
+
+APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange to target the infrastructure of the associated vulnerability, which globally still remains as a threat to various countries' networks as well.
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+Organizations and software manufacturers are all encouraged to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate [Secure by Design](https://www.cisa.gov/securebydesign) principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of the products for the customers.
+
+- [CISA Alerts](https://www.cisa.gov/news-events/alerts/2024/07/08/cisa-and-partners-join-asds-acsc-release-advisory-prc-state-sponsored-group-apt-40)
+- [ASD ACSC Alert and Advisory](https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/apt40-advisory-prc-mss-tradecraft-in-action)