APT41, the state-sponsored threat actor affiliated with China, breached at least six U.S. state government networks between May 2021 and February 2022 by retooling its attack vectors to take advantage of vulnerable internet-facing web applications.
The exploited vulnerabilities included “a zero-day vulnerability in the USAHERDS application (CVE-2021-44207) as well as the now infamous zero-day in Log4j (CVE-2021-44228),” researchers from Mandiant said in a report published Tuesday, calling it a “deliberate campaign.”
Besides web compromises, the persistent attacks also involved the weaponization of exploits such as deserialization, SQL injection, and directory traversal vulnerabilities, the cybersecurity and incident response firm noted.
The prolific advanced persistent threat, also known by the monikers Barium and Winnti, has a track record of targeting organizations in both the public and private sectors to orchestrate espionage activity in parallel with financially motivated operations.
In early 2020, the group was linked to a global intrusion campaign that leveraged a variety of exploits involving Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central to strike dozens of entities in 20 countries with malicious payloads.
The latest disclosure continues the trend of APT41 quickly co-opting newly disclosed vulnerabilities such as Log4Shell to gain initial access into target networks, counting that of two U.S. state governments and insurance and telecom firms, within hours of it becoming public knowledge.
images from Hacker News