An international alert issued by the Five Eyes allied cyber agencies revealed that the China-backed APT40 has been actively targeting new victims by exploiting vulnerabilities in small office and home office (SoHo) networking devices. These devices serve as a staging post for command and control (C2) activity during attacks.
The Australian Cyber Security Centre (ACSC) highlighted APT40’s repeated targeting of networks using compromised SoHo devices. These devices are considered easier targets for malicious actors compared to large enterprise equivalents due to being end-of-life or unpatched.
APT40 has also been known to use procured or leased infrastructure for victim-facing C2 activities, although this practice appears to be declining. The group’s tradecraft continues to evolve, with a focus on covert operations that challenge network defenders.
Despite efforts to remediate attacks, APT40 remains a notable threat with advanced capabilities and a history of targeting various sectors. To mitigate an APT40 intrusion, security teams are advised to maintain up-to-date logging, prompt patch management, and implement network segmentation. Other measures include disabling unnecessary network services, enforcing least privilege policies, and implementing multifactor authentication.