A months-long malicious campaign that targeted multiple US government agencies has once again highlighted the sophistication and dogged persistence of APT41, a China-backed threat actor associated with numerous cyber-espionage campaigns in recent years.

Researchers at Mandiant first spotted the campaign when responding to an APT41 intrusion at a US state government network last May. Since then, the security vendor has identified at least six instances where the threat actor compromised a state government network by exploiting Web application vulnerabilities in their environments.

In three of the compromises, APT41 threat actors exploited a zero-day flaw in USAHerds, an off-the-shelf application for tracking livestock that some 18 state governments currently use. Two other compromises involved an exploit for the well-known Apache Log4j vulnerability disclosed in December. The attacks on the Log4j vulnerability (CVE-2021-44228) happened just two days after the Apache Foundation disclosed it — showing the speed at which APT41 is able to take advantage of new flaws.

Persistent and Targeted
One notable aspect of the attacks is how persistent and targeted they have been, according to Mandiant. Unlike many APT41 attacks that involve mass scanning for exploitable vulnerabilities, the compromises that Mandiant observed between May 2021 and February 2022 appeared to be specific and targeted. In a couple of instances where Mandiant detected and contained APT41 activity, the threat actor regained access to the network  the zero-day vulnerability (CVE-2021-44207) in the USAHerds application. 

Similarly, late last month Mandiant discovered the threat actor had managed to once again compromise the network of two state agencies that it had previously infiltrated and from which it had been booted out.

Though Mandiant observed APT41 conducting extensive reconnaissance and credential harvesting after gaining initial access to a target network, the security vendor said it had been unable to identify the threat actor's broader motives for the campaign. However, the campaign has shown APT41 to be using new malware variants, techniques, obfuscation, and evasion capabilities, Mandiant said in a report this week. The report said APT41's new campaign represents unceasing attempts to gain access to state government systems in the US.

APT41 has incorporated several new tactics, techniques, and procedures in its latest campaign, says Van Ta, principal threat analyst, advanced practices at Mandiant. This includes the quick adoption of new attack vectors like the Log4j zero day and the deployment of a ported Linux version of KEYPLUG, a modular backdoor for command-and-control, Ta says. The threat actor has also made tweaks to its techniques for remaining stealthy on compromised networks, he says — for example, by increasing use of legitimate Web services to mask malware communications. 

Ta also pointed to APT41's use of a passive backdoor called LOWKEY as an example of how the threat actor tailored its malware to victim environments in the latest campaign. The backdoor is designed to listen to incoming connections matching a specific pattern that blends in with normal Web traffic at the target environment, he says.

Microsoft Exchange Server Flaw Similarity
Mandiant described the vulnerability in USAHerds (CVE-2021-44207) as similar to a previously disclosed privilege escalation bug in Microsoft Exchange Server (CVE-2020-0688) that gave attackers a way to remotely execute malicious code on vulnerable systems. Like the Microsoft vulnerability, the one in USAHerds also involved a static "machineKey" by default.

"The machineKey is a .NET element that contains encryption keys used for secure communication between the client and .NET server," Ta says. "With access to these keys, APT41 was able to manipulate any USAHerds servers with the same configuration into executing their code." 

Ta says APT41 used the vulnerability in the USAHerds application as a foothold into multiple environments. "After establishing an entryway, we observed APT41 pivoting into other parts of the network," he says.

APT41, which is also known as Winnti, Barium, Wicked Panda, and Wicked Spider, is a prolific threat actor that the US government and others have described as having ties to the Chinese Ministry of State Security and the government in Beijing. The group — which some security vendors have described as the most active China-based actor — has been associated with dozens of computer intrusions, including ransomware attacks, cyber-espionage, and cryptojacking schemes against government and private organizations in 100 countries.

In September 2020, the US government indicted five members of the group for their alleged involvement in a wide range of cyberattacks on more than 100 organizations. Among those indicted were the operators of a Chengdu, China-based company called Chengdu 404 Network Technology, which US prosecutors alleged was responsible for breaking into software vendor systems and using them to distribute malware. At the time, several security experts had noted how the US indictments — against individuals in China — were unlikely to do anything to deter APT41.

"APT41's operational tempo remains unchanged after the US DoJ indictment in 2020," Ta says. "Our research details a deliberate campaign against state governments, but their methods of exploitation are effective across a vast body of Web applications and industries, regardless of their location." 

The group's focus has been on US states, but that could quickly change to a different target using the same techniques, he cautions.

Daxin Cyber-Spying Tool
APT41 is one of several China-based groups that have targeted organizations in the US and elsewhere in a wave of attacks focused on everything from stealing trade secrets and proprietary data to spying, ransomware, and other attacks for financial gain. Many of these attacks have involved a high degree of complexity and sophistication. Just this week, Symantec released the first part of a comprehensive two-part analysis of Daxin, a cyber-espionage tool being used by China-based actors that the security vendor has described as the most sophisticated it has ever seen from the country.

Dick O’Brien, principal editor for the Symantec Threat Intelligence Team, says researchers at the company have found a link between the malware and a group called Slug or Owlproxy. What makes the malware especially troubling is its ability to communicate silently by hiding in legitimate traffic and its design for penetrating highly secure networks with no direct Internet connection and exfiltrating data from them.

"Deep penetration is facilitated through Daxin's ability to create a peer-to-peer network consisting of nodes of infected computers," O'Brien says. The malware gives attackers a way to create a chain of nodes from computers on a secure network out to the less-secure main network and then back across the Internet to the attackers. 

He adds: "The ability to get deep into secured networks along with the stealthy communications capability is a pretty potent combination."