C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).
Attack methodology
The attack methodology used by this campaign can be outlined as follows:
MITRE TACTICS |
STEPS INVOLVED |
Initial Access | APT41 conducted a lengthy campaign targeting vulnerable Internet-facing web applications to gain initial access to networks. Exploiting vulnerabilities such as CVE-2021-44207 in USAHerds and the Log4j zero-day (CVE-2021-44228) |
Execution | Once APT41 had access to a server on a target network, APT41 would advance using relatively common "credential harvesting" tools, such as the Mimikatz technique of accessing passwords in a machine's memory and then using them to gain access to other computers on the network. |
Persistence | APT41 implanted backdoor code in victim computers, they utilized malware tools such as KEYPLUG, DEADEYE, and DUSTPAN for this purpose, with KEYPLUG.LINUX specifically targeting Linux servers. |
Privilege Escalation | Deployed a ConfuserEx obfuscated BADPOTATO binary to exploit named pipe impersonation, facilitating local privilege escalation to NT AUTHORITY\SYSTEM. |
Exfiltration | Once APT41 gained NT AUTHORITY\SYSTEM privileges, this enabled them to copy the local SAM and SYSTEM registry hives for credential harvesting. They further utilized Mimikatz to extract locally stored credentials and NTLM hashes from the dumped registry hives. |
Discovery | APT41 conducted Active Directory reconnaissance by uploading the Windows command-line tool dsquery.exe and its associated module dsquery.dll to get information about the user and the System. |
Interim guidance
DARC team recommends the following guidance / best practices:
- Secure Coding Measures
- Check for hard coded credentials and sensitive keys in the source code.
- Proper Patch Management
- Update/patch the known vulnerabilities for the technologies being used.Regularly update the servers to the latest secure configuration.
- Referring to the C0017 campaign, CVE-2021-44207 (a zero-day vulnerability in the USAHerds application) and CVE-2021-44228 (Log4j) were exploited. Timely Patching the systems with appropriate available solutions is strongly recommended.
- Malware Detection Solutions
- Configure antimalware software for detecting open ports or services which might lead to an open backdoor or remote shell.
- These Malware Detection Solutions help to detect and prevent malware and infrastructure that is clearly recognized as that of APT41 such as KEYPLUG, DEADEYE and DUSTPAN.
- Web Security Best Practices
- Effectively filter any user input
- Don’t store sensitive configuration files inside the web root.
- Cryptography Measures
- Store passwords and other sensitive information in the system memory in the latest/secure encrypted format.
- Multi-Factor Authentication (MFA)
- Enforce MFA Policies: Strengthen authentication by enforcing multi-factor authentication (MFA) for accessing critical systems, functions and processes .
- Use MFA for every action on a computer/system that requires password/key based authentication (Password as well as MFA code). So even if a password from the memory is stolen or an encrypted password is decrypted, the attacker will face another layer of authentication.
- User Privilege Management
- Regularly Review User Privileges: Conduct regular reviews of user privileges and enforce the principle of least privilege. Limit user access to critical systems to prevent unauthorized changes.
- Network Intrusion Prevention
- Implement Network Intrusion Prevention: Deploy network intrusion prevention systems (NIPS) to detect and block malicious activities associated with campaign C0017. Customize NIPS rules to match threat signatures.
- Analyze the network traffic and use Deep Packet Inspection (DPI). Security tools with DPI capabilities can inspect network traffic for patterns associated with known insecure deserialization exploits. This can be helpful in identifying potential attacks in real-time.
- Registry Access Control
- Enhance Registry Access Controls: Strengthen access controls for the Windows Registry to prevent unauthorized modifications.
Regularly review and monitor changes to the registry, focusing on persistence mechanisms.
- Enhance Registry Access Controls: Strengthen access controls for the Windows Registry to prevent unauthorized modifications.
DARC Managed Threat Hunting Queries
To detect the activities associated with the context of C0017 campaign, we can create several DQL queries targeting different aspects of the network and system security. Here are some DQL queries that align with the security measures mentioned:
- Detect malicious payloads in Serialized objects to prevent insecure deserialization issues.
- Unsigned DLL/Image loaded from suspicious locations:
stream=ep-image-load where NOT imageloaded like '%\\\\Program Files%' AND NOT signed='true' AND NOT imageloaded like '%\\\\Windows\\\\%' | duration 15m | groupby user , system , imageloaded | limit 100
- Monitoring PowerShell script execution:
stream=win-audit where eid = 4104 | duration 1d | limit 100
These queries are only indicative in nature with an assumption that the HYPERCLOUD platform is configured to capture and log the relevant data that corresponds to the security measures mentioned. Adjustments may be needed based on the actual data fields and log formats used in the organization's HYPERCLOUD deployment.
Conclusion
APT41's recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use. APT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting U.S state governments through both cultivated and co-opted attack vectors.
References:
COMMENTS