Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked APT41 group targets US-Based Research University

Security experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university. Experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university. The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks […]

APT41

Security experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.

Experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.

The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks since 2014. The group hit entities in several industries, including the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.

Unlike other China-based actors, the group used custom malware in cyber espionage operations, experts observed 46 different malware families and tools in APT41 campaigns.

“APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain.” states the report published by FireEye. “Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.”

APT41

FireEye experts published a detailed report on the evolution of the group’s tactics, techniques, and procedures (TTPs), they found an overlap with other known Chinese espionage operator like BARIUM and the Winnti APT groups.

APT41 leverages several techniques to carry out the initial compromise, including spearphishing, moving laterally from trusted third parties, leveraging stolen credentials.

Experts observed APT41 using spear-phishing email with attachments such as compiled HTML (.chm) files.

The arsenal of the group includes backdoors, credential stealers, keyloggers, and rootkits. The APT41 cyber espionage group also leveraged TeamViewer to deploy its malware into the targets’ compromised environment.

The attack against a publicly-accessible web server at a U.S.-based research university took place on April 2019. The hackers exploited the CVE-2019-3396 vulnerability in Atlassian Confluence Server to compromise the systems and load additional payloads, including a variant of the China Chop web shell.

The attack involved two additional files, the HIGHNOON backdoor and a rootkit, then within the next 35 minutes, the attackers used both the China Chopper web shell and the HIGHNOON backdoor to send commands to the compromised server.

“HIGHNOON is a backdoor that consists of multiple components, including a loader, dynamic-link library (DLL), and a rootkit. When loaded, the DLL may deploy one of two embedded drivers to conceal network traffic and communicate with its command and control server to download and launch memory-resident DLL plugins.” reads the analysis published by FireEye.

Attackers used the HIGHNOON backdoor to execute a PowerShell command and download a script from PowerSploit. This script appears to be a copy of Invoke-Mimikatz post-exploitation tools, reflectively loading Mimikatz 2.0 into memory.

The hackers also conducted additional reconnaissance and downloaded two additional files, representing the dropper and encrypted/compressed payload components of the ACEHASH malware. The ACEHASH malware is a credential stealer and password dumping utility.

Summarizing the hackers were able to exploit the vulnerability in vulnerable Confluence system to execute command and deploy custom malware. While Mimikatz failed, the ACEHASH malware allowed the attackers to harvest a single credential from the system. The good news is that FireEye successfully neutralized the attack.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT41, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]