FortiGuard Labs is aware of a report that threat actor APT41 compromised at least six networks belonging to U.S. state governments between May 2021 and February 2022. To gain a foothold into the victim’s network, the threat actor used a number of different attack vectors: exploiting vulnerable Internet facing web applications and directory traversal vulnerabilities, performing SQL injection, and conducting de-serialization attacks. The intent of APT41 appears to be reconnaissance, though how the stolen information is to be used has not yet been determined.Why is this Significant? This is significant because at least six U.S. state government systems were broken into and data exfiltration was performed by APT41 as recent as February 2022 In addition, a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as Log4j (CVE-2021-44228), among others, were exploited in the attacksWhat’s the Detail of the Attack?APT41 performed several different ways to break into the targeted networks.In one case, the group exploited a SQL injection vulnerability in a Internet-facing web application. In another case, a then previously unknown vulnerability (CVE-2021-44207) in USAHerds, which is a web application used by agriculture officials to manage animal disease control and prevention, livestock identification and movement. Also, APT41 reportedly started to exploit the infamous Log4j vulnerability (CVE-2021-44228) within hours of Proof-of-Concept (PoC) code becoming available. Patches for both vulnerabilities are available. Once successful in breaking into the victim’s network, the threat actor performed reconnaissance and credential harvesting activities. What is APT41?APT41 is a threat actor who has been active since at least 2012. Also known as TA415, Double Dragon, Barium, GREF and WickedPanda, the group reportedly performs Chinese state-sponsored espionage activities. APT41 targets organizations in multiple countries across a wide range of industries, such as telecommunications, industrial and engineering and think tanks. In 2020, five alleged members of the group were charged by the U.S. Justice Department for hacking more than 100 companies in the United States.What are the Tools Used by APT41?APT41 is known to use the following tools:ASPXSpy – web shell backdoorBITSAdmin – PowerShell cmdlets for creating and managing file transfers.BLACKCOFFEE – backdoor that disguise its communications as benign traffic to legitimate websites certutil – command-line utility tool used for manipulating certification authority (CA) data and components.China Chopper – web shell backdoor that allows attacker to have remote access to an enterprise networkCobalt Strike – a commercial penetration testing tool, which allows users to perform a wide range of activitiesDerusbi – DLL backdoorEmpire – PowerShell post-exploitation agent, which provides a wide range of attack activities to usersgh0st RAT – Remote Access Trojan (RAT)MESSAGETAP – data mining malware Mimikatz – open-source credential dumpernjRAT – Remote Access Trojan (RAT)PlugX – Remote Access Trojan (RAT)PowerSploit – open-source, offensive security framework which allows users to perform a wide range of activitiesROCKBOOT – BootkitShadowPad – backdoorWinnti for Linux – Remote Access Trojan (RAT) for LinuxZxShell – Remote Access Trojan (RAT)Badpotato – open-source tool that allows elevate user rights towards System rightsDustPan – shellcode loader. aka StealthVectorDEADEYE – downloaderLOWKEY – backdoorKeyplug – backdoorWhat are Other Vulnerabilities Known to be Exploited by APT41?APT41 exploited the following, but not restricted to, these vulnerabilities in the past:CVE-2020-10189 (ManageEngine Desktop Central remote code execution vulnerability)CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance)CVE-2019-3396 (Atlassian Confluence Widget Connector Macro Velocity Template Injection)CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows)CVE-2015-1641 (Microsoft Office Memory Corruption Vulnerability)CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability)Are Patches Available for those Vulnerabilities?Yes, patches are available for the vulnerabilities.What is the Status of Coverage?FortiGuard Labs has the following AV signature in place for this issue as:Apache.Log4j.Error.Log.Remote.Code.ExecutionFortiGuard Labs provide the following IPS coverage against vulnerabilities exploited by APT41:Apache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-4104 CVE-2021-45046 CVE-2021-44228)ZOHO.ManageEngine.DC.getChartImage.Remote.Code.Execution (CVE-2020-10189)Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal (CVE-2019-19781)Confluence.Widget.Connector.macro.Path.Traversal (CVE-2019-3396)MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption (CVE-2017-11882 CVE-2018-0798 CVE-2018-0802)MS.Office.RTF.File.OLE.autolink.Code.Execution (CVE-2017-0199 CVE-2017-8570)MS.Office.RTF.Array.Out.of.bounds.Memory.Corruption (CVE-2015-1641)MS.Windows.MSCOMCTL.ActiveX.Control.Remote.Code.Execution (CVE-2012-0158)MS.Windows.MSCOMCTL.ActiveX.Control.Code.Execution (CVE-2012-0158)All network IOCs are blocked by the WebFiltering client.