A threat group believed to be sponsored by the Chinese government has breached the networks of U.S. state governments, including through the exploitation of a zero-day vulnerability.
In a blog post published on Tuesday, cybersecurity research and incident response company Mandiant said it became aware of the campaign in May 2021, when it was called in to investigate an attack on a U.S. state government network.
An analysis revealed that the attack had likely been carried out by a Chinese state-sponsored threat group known as APT41, Barium, Winnti, Double Dragon, Wicked Panda, and various other names. This prolific threat actor has conducted both cyberespionage operations and financially-motivated attacks, and is known for its sophisticated tools and techniques.
Mandiant has confirmed that the hackers have compromised the networks of at least six U.S. state government organizations between May 2021 and February 2022. The precise goal of the campaign remains unknown, but the fact that the attackers target governments and steal personal information suggests espionage.
The company’s investigation uncovered the use of new techniques, malware, evasion methods and capabilities.
In the first two attacks observed by Mandiant, the attackers exploited a proprietary .NET web application that was exposed to the internet. In one case, after being kicked out of a network, the hackers returned two weeks later by exploiting a zero-day vulnerability in USAHerds (Animal Health Emergency Reporting Diagnostic System), a commercial application used by the Department of Agriculture in 18 U.S. states for animal health management.
The threat actor apparently discovered an easy-to-exploit zero-day flaw that enabled it to gain access to victim networks.
The USAHerds vulnerability, described as a hardcoded credentials issue and tracked as CVE-2021-44207, was patched in November 2021. However, based on information from Mandiant, it has been exploited since at least June 2021 by APT41.
According to Mandiant, CVE-2021-44207 has been exploited in attacks against at least two U.S. government organizations. In more recent attacks, the hackers also exploited the notorious Log4Shell vulnerability, which they started leveraging just hours after its existence was made public.
Mandiant said the USAHerds security hole is similar to CVE-2020-0688, a Microsoft Exchange vulnerability that has also been exploited in the wild.
In the case of USAHerds, all installations shared the same machineKey values instead of using uniquely generated values for each instance of the application.
“Mandiant did not identify how APT41 originally obtained the machineKey values for USAHerds; however once APT41 obtained the machineKey for USAHerds, they were able to compromise any server on the Internet running USAHerds. As a result, there are potentially additional unknown victims,” the cybersecurity firm said.
In the campaign monitored by Mandiant, the cyberspies delivered a piece of malware named Dustpan (StealthVector by Trend Micro), which they used to drop a Cobalt Strike Beacon backdoor. The group also tailored its malware to the victim’s environment.
The company’s researchers also noticed that APT41 has “substantially increased” usage of Cloudflare services for command and control (C&C) communications and data exfiltration.
In 2020, the United States Department of Justice announced charges against several alleged members of APT41 for attacks aimed at more than 100 companies in the U.S. and other countries. The charges announced at the time do not appear to have deterred the group.
Related: China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign
Related: Researchers Attribute Airline Cyberattack to Chinese Hackers
Related: More Details Emerge on Operations, Members of Chinese Group APT41