C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).
The attack methodology used by this campaign can be outlined as follows:
|
MITRE TACTICS |
STEPS INVOLVED |
| Initial Access | APT41 conducted a lengthy campaign targeting vulnerable Internet-facing web applications to gain initial access to networks. Exploiting vulnerabilities such as CVE-2021-44207 in USAHerds and the Log4j zero-day (CVE-2021-44228) |
| Execution | Once APT41 had access to a server on a target network, APT41 would advance using relatively common "credential harvesting" tools, such as the Mimikatz technique of accessing passwords in a machine's memory and then using them to gain access to other computers on the network. |
| Persistence | APT41 implanted backdoor code in victim computers, they utilized malware tools such as KEYPLUG, DEADEYE, and DUSTPAN for this purpose, with KEYPLUG.LINUX specifically targeting Linux servers. |
| Privilege Escalation | Deployed a ConfuserEx obfuscated BADPOTATO binary to exploit named pipe impersonation, facilitating local privilege escalation to NT AUTHORITY\SYSTEM. |
| Exfiltration | Once APT41 gained NT AUTHORITY\SYSTEM privileges, this enabled them to copy the local SAM and SYSTEM registry hives for credential harvesting. They further utilized Mimikatz to extract locally stored credentials and NTLM hashes from the dumped registry hives. |
| Discovery | APT41 conducted Active Directory reconnaissance by uploading the Windows command-line tool dsquery.exe and its associated module dsquery.dll to get information about the user and the System. |
DARC team recommends the following guidance / best practices:
To detect the activities associated with the context of C0017 campaign, we can create several DQL queries targeting different aspects of the network and system security. Here are some DQL queries that align with the security measures mentioned:
stream=ep-image-load where NOT imageloaded like '%\\\\Program Files%' AND NOT signed='true' AND NOT imageloaded like '%\\\\Windows\\\\%' | duration 15m | groupby user , system , imageloaded | limit 100
stream=win-audit where eid = 4104 | duration 1d | limit 100
These queries are only indicative in nature with an assumption that the HYPERCLOUD platform is configured to capture and log the relevant data that corresponds to the security measures mentioned. Adjustments may be needed based on the actual data fields and log formats used in the organization's HYPERCLOUD deployment.
APT41's recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use. APT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting U.S state governments through both cultivated and co-opted attack vectors.
References: