Security researchers have revealed a major new campaign by Chinese state hackers in which they exploited Log4Shell and other bugs to compromise at least six US state government networks.
Mandiant claimed the activity between May 2021 and February 2022 indicated a deliberate campaign. However, it could not say definitively whether the prolific group known as APT41 was conducting operations for the state or moonlighting for its own gain.
What it did reveal are “significant new capabilities,” including new attack vectors and post-compromise tools and techniques.
The group targeted vulnerable internet-facing web apps for initial access, mainly via .NET deserialization attacks and SQL injection and directory traversal vulnerabilities.
APT41 blended zero-day attacks, in this case, to compromise off-the-shelf app USAHerds, with exploits of known bugs such as Log4Shell.
In the case of the latter, they were said to be exploiting Log4j “within hours” of the Apache Foundation’s advisory to compromise at least two US state governments as well as more traditional targets in the insurance and telecoms industries.
In late February 2022, APT41 was even found to have re-compromised two previous US state government victims.
“APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability,” Mandiant concluded. “The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use.”
The group was also observed customizing malware to specific victim organizations’ environments and hid its command and control (C2) address in encoded data on tech community forums, which it regularly updated.
“While the ongoing crisis in Ukraine has rightfully captured the world’s attention and the potential for Russian cyber-threats are real, we must remember that other major threat actors around the world are continuing their operations as usual,” argued Mandiant principal threat analyst Geoff Ackerman.
“We cannot allow other cyber activity to fall to the wayside, especially given our observations that this campaign from APT41, one of the most prolific threat actors around, continues to this day.