APT41, a Chinese-affiliated state-sponsored threat actor, violated at least six state government networks in the United States between May 2021 and February 2022 by retooling its attack vectors to exploit vulnerable internet-facing web applications.
The exploited threats included “a zero-day vulnerability in the USAHERDS application (CVE-2021-44207) as well as the now infamous zero-day in Log4j (CVE-2021-44228),” according to Mandiant researchers in a report issued Tuesday.
The continual attacks included the weaponization of exploiting deserialization, SQL injection, and directory traversal vulnerabilities, in addition to web compromises, according to the cybersecurity and incident response firm.
The illustrious advanced continual threat, also known as Barium and Winnti, has a history of targeting organisations in both the public and private sectors in order to orchestrate espionage activity in tandem with financially driven operations.In early 2020, the cohort was associated to a global intrusion initiative that used Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central exploits to infect dozens of entities in 20 countries with malicious payloads.
The latest revelation persists APT41’s trend of rapidly exploiting newly divulged vulnerabilities such as Log4Shell to gain initial access into target networks of two U.S. state governments, as well as insurance and telecom firms, in only hours of their public disclosure.
The intrusions proceeded far into February 2022, when the hacking team re-compromised two U.S. state government victims infiltrated for the first time in May and June 2021, “demonstrating their unwavering desire to access state government networks,” according to the researchers.
Furthermore, the strong presence established following Log4Shell exploitation resulted in the deployment of a new variant of a modular C++ backdoor known as KEYPLUG on Linux systems, but only after comprehensive reconnaissance and credential extracting of the target environments.