Threat Signal Report
APT41 Compromised Six U.S. State Government Networks
FortiGuard Labs is aware of a report that threat actor APT41 compromised at least six networks belonging to U.S. state governments between May 2021 and February 2022. To gain a foothold into the victim's network, the threat actor used a number of different attack vectors: exploiting vulnerable Internet facing web applications and directory traversal vulnerabilities, performing SQL injection, and conducting de-serialization attacks. The intent of APT41 appears to be reconnaissance, though how the stolen information is to be used has not yet been determined.
Why is this Significant?
This is significant because at least six U.S. state government systems were broken into and data exfiltration was performed by APT41 as recent as February 2022 In addition, a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as Log4j (CVE-2021-44228), among others, were exploited in the attacks
What's the Detail of the Attack?
APT41 performed several different ways to break into the targeted networks.
In one case, the group exploited a SQL injection vulnerability in a Internet-facing web application. In another case, a then previously unknown vulnerability (CVE-2021-44207) in USAHerds, which is a web application used by agriculture officials to manage animal disease control and prevention, livestock identification and movement. Also, APT41 reportedly started to exploit the infamous Log4j vulnerability (CVE-2021-44228) within hours of Proof-of-Concept (PoC) code becoming available. Patches for both vulnerabilities are available.
Once successful in breaking into the victim's network, the threat actor performed reconnaissance and credential harvesting activities.
What is APT41?
APT41 is a threat actor who has been active since at least 2012. Also known as TA415, Double Dragon, Barium, GREF and WickedPanda, the group reportedly performs Chinese state-sponsored espionage activities. APT41 targets organizations in multiple countries across a wide range of industries, such as telecommunications, industrial and engineering and think tanks. In 2020, five alleged members of the group were charged by the U.S. Justice Department for hacking more than 100 companies in the United States.
What are the Tools Used by APT41?
APT41 is known to use the following tools:
ASPXSpy - web shell backdoor
BITSAdmin - PowerShell cmdlets for creating and managing file transfers.
BLACKCOFFEE - backdoor that disguise its communications as benign traffic to legitimate websites
certutil - command-line utility tool used for manipulating certification authority (CA) data and components.
China Chopper - web shell backdoor that allows attacker to have remote access to an enterprise network
Cobalt Strike - a commercial penetration testing tool, which allows users to perform a wide range of activities
Derusbi - DLL backdoor
Empire - PowerShell post-exploitation agent, which provides a wide range of attack activities to users
gh0st RAT - Remote Access Trojan (RAT)
MESSAGETAP - data mining malware
Mimikatz - open-source credential dumper
njRAT - Remote Access Trojan (RAT)
PlugX - Remote Access Trojan (RAT)
PowerSploit - open-source, offensive security framework which allows users to perform a wide range of activities
ROCKBOOT - Bootkit
ShadowPad - backdoor
Winnti for Linux - Remote Access Trojan (RAT) for Linux
ZxShell - Remote Access Trojan (RAT)
Badpotato - open-source tool that allows elevate user rights towards System rights
DustPan - shellcode loader. aka StealthVector
DEADEYE - downloader
LOWKEY - backdoor
Keyplug - backdoor
What are Other Vulnerabilities Known to be Exploited by APT41?
APT41 exploited the following, but not restricted to, these vulnerabilities in the past:
CVE-2020-10189 (ManageEngine Desktop Central remote code execution vulnerability)
CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance)
CVE-2019-3396 (Atlassian Confluence Widget Connector Macro Velocity Template Injection)
CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)
CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows)
CVE-2015-1641 (Microsoft Office Memory Corruption Vulnerability)
CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability)
Are Patches Available for those Vulnerabilities?
Yes, patches are available for the vulnerabilities.
What is the Status of Coverage?
FortiGuard Labs has the following AV signature in place for this issue as:
FortiGuard Labs provide the following IPS coverage against vulnerabilities exploited by APT41:
Apache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-4104 CVE-2021-45046 CVE-2021-44228)
MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption (CVE-2017-11882 CVE-2018-0798 CVE-2018-0802)
MS.Office.RTF.File.OLE.autolink.Code.Execution (CVE-2017-0199 CVE-2017-8570)
All network IOCs are blocked by the WebFiltering client.
Traffic Light Protocol
|Color||When Should it Be used?||How may it be shared?|
TLP: REDNot for disclosure, restricted to participants only.
|Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.||Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.|
TLP: AMBERLimited disclosure, restricted to participants’ organizations.
|Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.||Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.|
TLP: GREENLimited disclosure, restricted to the community.
|Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.||Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.|
TLP: WHITEDisclosure is not limited.
|Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.||Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.|