Threat Signal ReportAPT 41 - Indictments of Nation State Actors Involved in a Global Hacking Campaign
Description
This week, the United States Department of Justice (USDOJ) indicted five Chinese nationals for hacking into the networks of over 100 companies in a global cyber crime campaign. According to the press release, the industries attacked included software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments. In addition, pro-democracy politicians and activists in Hong Kong were also targeted.
The group (known as APT41, Barium Winnti, Wicked Panda and Wicked Spider) is responsible for the theft of source code, code signing certificates, customer account data as well as and other intellectual property related to business operations.
On September 14th, two men were arrested in the province of Sitiawan, Malaysia after arrest warrants were issued by the United States District Court for the District of Columbia. Five more men are wanted and remain at large in China. Indicators of compromise IOCs) were exchanged through FortiGuard Labs' intelligence sharing partnerships - and through our membership in the Cyber Threat Alliance (CTA) - to ensure we could provide coverage for the identified IOCs.
Why is this Significant?
APT41 has been in operation since 2011. It has been linked to supply chain compromises and for hacking into popular software vendors. Well known software titles with significant installation bases were compromised with malware. The modus operandi of this group was to compromise developer workstations that had access to source code repositories and then install backdoors and other malware into legitimate software. The intrusions also facilitated the installation of ransomware and crypto jacking schemes, where victim computer resources were used to mine cryptocurrency. This group is also linked to the use of PlugX/Fast/Korplug/ and Winnti/Pasteboy and Shadowpad malware, with the Korplug and Winnti being prominent malware families since 2012. To maintain persistence, the group has been observed to perform DLL side loading techniques to launch malware such as HK Door, Crosswalk, and others.
Other vendors lump APT41 as one group. However, Symantec (a fellow CTA member) states in their blog about how they have discovered two distinct but related operations working for the nation state. They are referred to as Blackfly and Grayfly. Blackfly's focus is primarily on cybercrime, while Grayfly's focus is on cyberespionage.
What is the Severity of Impact?
The severity should be regarded as MEDIUM, due to the fact that these campaigns have been observed in limited, targeted attacks.
What is the status of AV and IPS coverage?
Customers running the latest definitions are protected by the following AV signatures':
Customers running the latest definitions are protected by the following IPS signatures:
China.Chopper.Web.Shell.Client.Connection
WINNTI.Botnet
Backdoor.Cobalt.Strike.Beacon
Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal (CVE-2019-19781)
Pulse.Secure.SSL.VPN.HTML5.Information.Disclosure (CVE-2019-11510)
D-Link.DIR866L.PingTest.Remote.Code.Execution (CVE-2019-16920)
Nostromo.nhttpd.http_verify.Directory.Traversalv (CVE-2019-16278)
Cisco.RV320.Routers.Command.Injection (CVE-2019-1652)
Cisco.RV320.Routers.Information.Disclosure (CVE-2019-1653)
Zoho.ManageEngine.DC.getChartImage.Remote.Code.Execution (CVE-2020-10189)
All network IOC's related to this event are blocked by the WebFiltering client.
