Six US state government networks hit by Chinese state-sponsored espionage group, APT41
Cybersecurity firm Mandiant identified that the persistent effort of a prolific Chinese state-sponsored espionage group, APT41, allowed them to compromise at least six U.S. state government networks by exploiting vulnerable Internet-facing web applications. The group has targeted a zero-day vulnerability in the USAHerds application and the zero-day vulnerability detected in the Log4j vulnerabilities. Mandiant has, however, not named the state governments which were affected.
“While the overall goals of APT41’s campaign remain unknown, our investigations into each of these intrusions has revealed a variety of new techniques, malware variants, evasion methods, and capabilities,” Mandiant said in its research released on Tuesday. However, there has been evidence observed of APT41 exfiltrating personal identifiable information (PII). Although the victimology and targeting of PII data are consistent with an espionage operation, Mandiant cannot make a definitive assessment at this time given APT41’s history of moonlighting for personal financial gain, it added.
Mandiant’s research came on the same day that the company entered into a definitive agreement to be acquired by Google in an all-cash transaction valued at approximately US$5.4 billion, inclusive of Mandiant’s net cash. Upon the close of the acquisition, Mandiant will join Google Cloud.
Mandiant began tracking the APT41 group when it responded to an intrusion that targeted a U.S. state government computer network last May. This was just the beginning of Mandiant’s insight into a persistent months-long campaign conducted by APT41 using vulnerable Internet-facing web applications as their initial foothold into networks of interest. Publicly available tools such as YSoSerial.NET exist to construct these malicious ViewStates, which is how APT41 initiated its May campaign, it added.
APT41 has primarily used malicious ViewStates to trigger code execution against targeted web applications, Mandiant said. Within the ASP.NET framework, ViewState is a method for storing the application’s page and controlling values in HTTP requests to and from the server. The ViewState is sent to the server with each HTTP request as a Base64 encoded string in a hidden form field. The web server decodes the string and applies additional transformations to the string so that it can be unpacked into data structures the server can use. This process is known as deserialization, the firm added.
Mandiant also identified that the “JScript webshell deployed through a malicious ViewState object by APT41 which utilizes Code Page 936 for the Chinese Simplified keyboard language.”
Not surprisingly, the most recent APT41 campaign began shortly after the release of Log4Shell vulnerability and its related proof-of-concept exploits in December 2021, Mandiant said. Exploiting the vulnerability causes Java to fetch and deserialize a remote Java object, resulting in potential code execution. The firm added that it was similar to their previous web application targeting, APT41 continued to use YSoSerial generated deserialization payloads to perform reconnaissance and deploy backdoors.
“After exploiting Log4Shell, APT41 continued to use deserialization payloads to issue ping commands to domains, a technique APT41 frequently used at government victims months prior,” Mandiant said. Upon gaining access to a target environment, APT41 performed host and network reconnaissance before deploying KEYPLUG.LINUX to establish a foothold in the environment, it added.
In three investigations from last year, APT41 exploited a zero-day vulnerability in the USAHerds web application. USAHerds is a CoTS application written in ASP.NET and used by 18 states for animal health management, Mandiant said. The vulnerability in USAHerds is similar to a previously reported vulnerability in Microsoft Exchange Server. The applications used a static ‘validationKey’ and ‘decryptionKey,’ collectively known as the machineKey, by default. As a result, all installations of USAHerds shared these values, which is against the best practice of using uniquely generated machineKey values per application instance, it added.
Generating unique machineKey values is critical to the security of an ASP.NET web application because the values are used to secure the integrity of the ViewState.
Mandiant did not identify how APT41 originally obtained the machineKey values for USAHerds; however, once APT41 obtained the machineKey, they could compromise any server on the Internet running USAHerds. As a result, there are potentially additional unknown victims.
APT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting U.S state governments through both cultivated and co-opted attack vectors, Mandiant said. “Through all the new, some things remain unchanged: APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020,” it added.
APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques, Mandiant said. The group can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The hackers have also shown a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use.
Last month, Mandiant drew attention to UNC2596, a hacker group that deploys COLDDRAW ransomware, having targeted dozens of organizations, including those within the critical infrastructure sector, across over ten countries. So far, victims of the COLDDRAW ransomware attacks have included utility providers, government agencies, and organizations that support nonprofits and healthcare entities, it added.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
