Chinese APT41 Breached US Government Networks Through USAHerds App
Security researchers with Mandiant security published a recent report detailing their findings on recent activity by APT41 - a cybercrime outfit believed to have Chinese state backing. According to Mandiant, APT41 managed to use a combination of Log4j attacks and zero-day vulnerabilities to compromise several US government networks.
Zero-days and Log4j used together
The zero-day vulnerabilities in question are found in an application called USAHerds. It is a tool used by livestock farmers across the US as an "animal health information management system". The application has been around for a number of years now. However, it was only recently that APT41 managed to abuse security flaws in it.
APT41 is believed to be a state-sponsored Chinese-based outfit that traditionally engages in cyber espionage. In this latest attack researchers spotted new tools, new methods to evade detection, and new techniques employed by the threat actor.
The vulnerability used to access US networks is tracked as CVE-2021-44207. The attack used a two-pronged approach, also leveraging the infamous Log4j vulnerability. The vulnerability in USAHerds was patched in November of 2021 and relied on the application's usage of hard-coded, static validation, and encryption keys, eventually permitting remote code execution on the system.
The application shared those static keys across all installed instances, instead of generating unique ones on each install, which is a significant security issue, according to researchers.
At least six networks accessed by APT41
There is no way to know how APT41 managed to get hold of the shared key values but once they had access to those, they could gain access to "any server" running the USAHerds application. Even though six US government networks are known to have been compromised in the attack, Mandiant expects that there are more victims out there that have simply not been recorded.
APT41 has been targeting US-based entities for a long time now, with attacks associated with the same outfit dating back to 2019. The group is known for being sharp and nimble when it comes to evasion and using advanced techniques when infiltrating its targets.