A months-long malicious campaign targeting multiple US government agencies has once again exposed the sophistication and stubborn persistence of APT41, a China-backed threat actor associated with numerous cyber espionage campaigns in recent years.
Mandiant researchers first spotted the campaign while responding to an APT41 intrusion on a US state government network in May 2021. Since then, the security vendor has identified at least six instances where the perpetrator the threat compromised a state government network by exploiting web application vulnerabilities in their environments.
In three of the compromises, threat actors APT41 exploited a zero-day flaw in USAHerds, an out-of-the-box livestock tracking app that some 18 state governments currently use. Two other compromises involved an exploit for the well-known Apache Log4j vulnerability disclosed in December 2021. The attacks against the Log4j vulnerability (CVE-2021-44228) occurred just two days after the Apache Foundation disclosed it – showing the speed to which APT41 is able to take advantage of new flaws.
Persistent and targeted
A notable aspect of the attacks is their persistence and targeting, according to Mandiant. Unlike many APT41 attacks that involve mass scanning for exploitable vulnerabilities, the compromises observed by Mandiant between May 2021 and February 2022 appeared to be specific and targeted. In a few instances where Mandiant detected and contained APT41 activity, the threat actor regained network access this time by exploiting the zero-day vulnerability (CVE-2021-44207) in the USAHerds application.
Similarly, in late February 2022, Mandiant discovered that the threat actor had managed to once again compromise the network of two state agencies he had previously infiltrated and from which he had been expelled.
Although Mandiant observed APT41 performing thorough reconnaissance and credential gathering after gaining initial access to a target network, the security vendor said it was unable to identify the the threat actor’s broader motives for the campaign. However, the campaign showed that APT41 used new variants, techniques, obfuscation and malware evasion capabilities, Mandiant said in a report this week. The report says APT41’s new campaign represents relentless attempts to gain access to state government systems in the United States.
APT41 has incorporated several new tactics, techniques and procedures into its latest campaign, says Van Ta, Senior Threat Analyst, Advanced Practices, Mandiant. This includes the rapid adoption of new attack vectors like zero-day Log4j and the deployment of a ported Linux version of KEYPLUG, a modular backdoor for command and control, Ta says. The threat actor has also made changes to its techniques to remain stealthy on compromised networks, he says – for example, increasing the use of legitimate web services to obfuscate malware communications.
Ta also pointed to APT41’s use of a passive backdoor called LOWKEY as an example of how the threat actor tailored its malware to victim environments in the latest campaign. The backdoor is designed to listen for incoming connections that match a specific pattern that confuses normal web traffic in the target environment, he says.
Microsoft Exchange Server Flaws Similarity
Mandiant described the vulnerability in USAHerds (CVE-2021-44207) as similar to a previously disclosed privilege escalation bug in Microsoft Exchange Server (CVE-2020-0688) that gave attackers a way to remotely execute the malicious code on vulnerable systems. Like the Microsoft vulnerability, the USAHerds vulnerability also involved a default static “machineKey”.
“The machineKey is a .NET element that contains encryption keys used for secure communication between the .NET client and server,” Ta explains. “With access to these keys, APT41 was able to manipulate any USAHerds server with the same configuration to run their code.”
Ta says that APT41 used the USAHerds application vulnerability to gain a foothold in multiple environments. “After establishing a gateway, we observed APT41 pivot to other parts of the network,” he says.
APT41, also known as Winnti, Barium, Wicked Panda, and Wicked Spider, is a prolific threat actor that the US government and others have described as having ties to China’s Ministry of State Security and government from Beijing. The group – which some security vendors have described as the most active China-based player – has been linked to dozens of cyber intrusions, including ransomware attacks, cyber espionage and cryptojacking programs against government organizations and private in 100 countries.
In September 2020, the US government indicted five members of the group for their alleged involvement in a wide range of cyberattacks against more than 100 organizations. Among those charged were the operators of a Chengdu, China-based company called Chengdu 404 Network Technology, which US prosecutors say was responsible for breaking into software vendors’ systems and using them to distribute malware. At the time, several security experts noted how the US indictments — against individuals in China — were unlikely to deter APT41.
“APT41’s operational tempo remains unchanged after the US DoJ indictment in 2020,” Ta said. “Our research details a deliberate campaign against state governments, but their methods of exploitation are effective across a broad set of web applications and industries, regardless of location.” The group has focused on US states, but that could quickly change to a different target using the same techniques, he warns.
Daxin Cyber Spy Tool
APT41 is one of many China-based groups that have targeted organizations in the United States and elsewhere in a wave of attacks focused on everything from theft of trade secrets and proprietary data to espionage, ransomware and other attacks for financial gain. Many of these attacks have involved a high degree of complexity and sophistication. Just this week, Symantec released the first part of a comprehensive two-part study daxin analysisa cyber espionage tool used by actors based in China that the security provider described as the most sophisticated he had ever seen in the country.
Dick O’Brien, editor of the Symantec Threat Intelligence team, says the company’s researchers have found a link between the malware and a group called Slug or Owlproxy. What makes the malware particularly troubling is its ability to communicate silently by hiding in legitimate traffic and its design to penetrate highly secure networks without a direct internet connection and exfiltrate data from them.
“Deep penetration is facilitated by Daxin’s ability to create a peer-to-peer network of infected computer nodes,” O’Brien said. The malware allows attackers to create a chain of nodes from computers on a secure network to the less secure main network and then back across the internet to the attackers. He adds, “The ability to penetrate deep into secure networks with stealth communication capability is a pretty powerful combination.”