“Typically, after the first successful access APT40 focuses on establishing persistence to maintain access to the victim’s location,” the advisory said. “However, since persistence occurs early in the transition, it is likely to be considered in all interventions regardless of the level of compromise or additional measures taken.”
A concerning trend identified in the advisory is the increasing use of APT40 for vulnerable devices including small or home office (SOHO) devices such as “work infrastructure and last-hop redirectors” to launch attacks.
These devices, often unpatched and outdated, provide a vulnerable entry point for the group. By compromising SOHO devices, APT40 can mask its activity within legitimate traffic, making detection more challenging for defenders.
Source link