Mandiant Reports APT41 Targeting US Government

  |  Source: 

Mandiant Reports APT41 Targeting US Government

Mandiant provides insights on engagements involving six U.S state government entities that were compromised by APT41. The Chinese-sponsored threat group appeared to have a focused effort against the U.S state government between May 2021 and February 2022. Objectives against the government entities are unclear however APT41 was observed exfiltrating PII data. The APT group obtained initial access by exploiting vulnerabilities from public-facing web applications including Log4j and a vulnerability in application USAHerds, CVE-2021-44207. Web application compromise tactics as detailed by Mandiant, "In most of the web application compromises, APT41 conducted .NET deserialization attacks; however, we have also observed APT41 exploiting SQL injection and directory traversal vulnerabilities." Following initial access, APT41 conducted reconnaissance using dsquery and credential harvesting, by gathering credentials from the registry and executing Mimikatz. Persistence is achieved through the use of scheduled tasks. For command and control (C2) and data exfiltration, APT41 has leveraged Cloudflare services to proxy its traffic. Additionally, the evasion and anti-analysis techniques used involved using Alternate Data Stream (ADS) and using VMProtect in malware.


Get trending threats published weekly by the Anvilogic team.

Sign Up Now