Security researchers have discovered a main new campaign by Chinese condition hackers in which they exploited Log4Shell and other bugs to compromise at least 6 US state government networks.
Mandiant claimed the exercise between May perhaps 2021 and February 2022 indicated a deliberate marketing campaign. Even so, it could not say definitively no matter if the prolific group recognised as APT41 was conducting functions for the state or moonlighting for its own achieve.
What it did expose are “significant new abilities,” like new attack vectors and article-compromise tools and strategies.
The team specific vulnerable internet-going through web apps for preliminary entry, generally via .NET deserialization attacks and SQL injection and directory traversal vulnerabilities.
APT41 blended zero-day attacks, in this case, to compromise off-the-shelf app USAHerds, with exploits of regarded bugs this sort of as Log4Shell.
In the case of the latter, they were being said to be exploiting Log4j “within hours” of the Apache Foundation’s advisory to compromise at least two US point out governments as effectively as far more classic targets in the insurance policies and telecoms industries.
In late February 2022, APT41 was even found to have re-compromised two former US state government victims.
“APT41 can speedily adapt their first accessibility methods by re-compromising an ecosystem by a various vector, or by fast operationalizing a contemporary vulnerability,” Mandiant concluded. “The team also demonstrates a willingness to retool and deploy abilities via new attack vectors as opposed to holding onto them for future use.”
The group was also observed customizing malware to precise target organizations’ environments and hid its command and manage (C2) deal with in encoded details on tech local community message boards, which it often up to date.
“While the ongoing crisis in Ukraine has rightfully captured the world’s attention and the probable for Russian cyber-threats are actual, we have to don’t forget that other important risk actors close to the world are continuing their operations as regular,” argued Mandiant principal danger analyst Geoff Ackerman.
“We cannot enable other cyber action to slide to the wayside, particularly provided our observations that this marketing campaign from APT41, 1 of the most prolific risk actors around, proceeds to this day.
Some elements of this post are sourced from: