C0017

C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).

Attack methodology

The attack methodology used by this campaign can be outlined as follows:

Interim guidance

DARC team recommends the following guidance / best practices:

• Secure Coding Measures
  • Check for hard coded credentials and sensitive keys in the source code.
• Proper Patch Management
  • Update/patch the known vulnerabilities for the technologies being used.Regularly update the servers to the latest secure configuration.
  • Referring to the C0017 campaign, CVE-2021-44207 (a zero-day vulnerability in the USAHerds application) and CVE-2021-44228 (Log4j) were exploited. Timely Patching the systems with appropriate available solutions is strongly recommended.
• Malware Detection Solutions
  • Configure antimalware software for detecting open ports or services which might lead to an open backdoor or remote shell.
  • These Malware Detection Solutions help to detect and prevent malware and infrastructure that is clearly recognized as that of APT41 such as KEYPLUG, DEADEYE and DUSTPAN.
• Web Security Best Practices
  • Effectively filter any user input
  • Don’t store sensitive configuration files inside the web root.
• Cryptography Measures
  • Store passwords and other sensitive information in the system memory in the latest/secure encrypted format.
• Multi-Factor Authentication (MFA)
  • Enforce MFA Policies: Strengthen authentication by enforcing multi-factor authentication (MFA) for accessing critical systems, functions and processes .
  • Use MFA for every action on a computer/system that requires password/key based authentication (Password as well as MFA code). So even if a password from the memory is stolen or an encrypted password is decrypted, the attacker will face another layer of authentication.
• User Privilege Management
  • Regularly Review User Privileges: Conduct regular reviews of user privileges and enforce the principle of least privilege. Limit user access to critical systems to prevent unauthorized changes.
• Network Intrusion Prevention
  • Implement Network Intrusion Prevention: Deploy network intrusion prevention systems (NIPS) to detect and block malicious activities associated with campaign C0017. Customize NIPS rules to match threat signatures.
  • Analyze the network traffic and use Deep Packet Inspection (DPI). Security tools with DPI capabilities can inspect network traffic for patterns associated with known insecure deserialization exploits. This can be helpful in identifying potential attacks in real-time.
• Registry Access Control
  • Enhance Registry Access Controls: Strengthen access controls for the Windows Registry to prevent unauthorized modifications. 
    Regularly review and monitor changes to the registry, focusing on persistence mechanisms.

DARC Managed Threat Hunting Queries

To detect the activities associated with the context of C0017 campaign, we can create several DQL queries targeting different aspects of the network and system security. Here are some DQL queries that align with the security measures mentioned:

• Detect malicious payloads in Serialized objects to prevent insecure deserialization issues.
  • Unsigned DLL/Image loaded from suspicious locations:

stream=ep-image-load where NOT imageloaded like '%\\\\Program Files%' AND NOT signed='true' AND NOT imageloaded like '%\\\\Windows\\\\%' | duration 15m |  groupby user , system , imageloaded | limit 100

• Monitoring PowerShell script execution:

stream=win-audit where eid = 4104 | duration 1d |  limit 100

These queries are only indicative in nature with an assumption that the HYPERCLOUD platform is configured to capture and log the relevant data that corresponds to the security measures mentioned. Adjustments may be needed based on the actual data fields and log formats used in the organization's HYPERCLOUD deployment.

Conclusion

APT41's recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use. APT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting U.S state governments through both cultivated and co-opted attack vectors.

References:

1. APT41 - USA State Governments
2. How to create and dump credentials from Registry in Windows
3. Deserialization
4. CVE-2021-44207
5. OWASP - Path Traversal
6. What is path traversal, and how to prevent it? | Web Security Academy