FBI warning: China-based hacking group APT41 hacks into over 100 companies
In September, an FBI Flash on a People’s Republic of China (PRC) hacking group based in Chengdu, Sichuan Province, was published. This threat intel describes a highly sophisticated attack chain, using multiple modes of attack, including spearphishing and known vulnerabilities, along with compromised supply chain software and crypto-jacking. Here are some of the main findings of the 2020 FBI threat intel notice.
Tactics identified in the FBI threat intel notice
Using the MITRE ATT&CK Framework as a reference point for the cyberattack chain, the FBI notice sets out the tactics used by the adversaries.
The group is known to use spearphishing emails associated with malicious files. These spearphishing emails are often used to target HR departments with malicious files presented as applicant resumes. MITRE ATT&CK lists in its “Phishing: Spearphishing Attachment” section several profiles of actors using this method. One of them is APT41, a renowned state-sponsored Chinese hacking group. APT41 is known for sending spearphishing emails with attachments (including compiled HTML files). The FBI intel notes this use of HTML files in this flash notice. APT41 is infamous for a global supply chain attack that targeted over 100 high-tech and online gaming companies.
The spearphishing campaign is designed to steal credentials, targeting the login credentials of users with administrative access. Access escalation is also used to expand the unauthorized access capability of the adversaries.
Common vulnerabilities and exposures (CVE)
The FBI threat intel points out that during 2020 the cybercriminals carried out a campaign to make use of public exploits in known VPN software, including SoftEther. APT41 has used this technique previously. The group, according to MITRE ATT&CK, “Having compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.” During this attack a SoftEther vulnerability allowed the group to use “Skeleton Key” malware. This creates a master password to allow access to any account in the domain.
Malware and other techniques
The group is known to use multiple malware types, including gh0st, Derusbi, Azazel and Cobalt Strike. The group also uses web shells including China Chopper, which is now almost a decade old. Web shells facilitate access to an infected system using a malicious script to escalate and maintain persistent access on a compromised web app.
A technique that seems to be the weapon of choice of the group is DLL side-loading. According to MITRE ATT&CK, cybercriminals can execute malicious payloads by hijacking the library manifest used to load DLLs. The FBI warning says, “The group frequently implanted malware in ‘%WINDIR%\Windows\System32\wbem\loadperf.dll’ to side-jack of the proper ‘loadperf.dll’ file located in the “%WINDIR%\Windows\System32\” directory.”
Hop points of attack
When data travels across network points the data is said to hop between these points. A hop point is a compromised data point in a pathway that can be used to obfuscate intercepted data packets. The FBI threat intel points out that the APT41 group uses China-based IP addresses resolved to various Chinese internet service providers (ISPs). The hop points used by the group were leased servers. Email accounts were registered and accessed on these servers via remote access. As well as the email accounts, the servers were also used to host command and control (C2) domains, used to facilitate remote interaction with victims. The actors used these hop points as an obfuscation technique when interacting with victim networks.
C2 dead drops
A note made by the FBI threat intel is the use of “C2 dead drops” by the hacking group. These are identified by MITRE ATT&CK as a “web service: dead drop resolver,” whereby a hacker uses “existing, legitimate external web services to host information that points to additional command and control (C2) infrastructure.” The APT41 malware is designed to facilitate communication between the victim’s computer and the C2DD accounts.
A complex web is woven
The hackers create a network of interconnected actors consisting of U.S. and foreign email as well as social media, and other online accounts. These are used to develop online personas allowing the cyber actors to interact with “the group, other conspirators, ISPs, web hosting providers and victim companies.”
In a slick piece of social engineering, the domains used were spoofs of well-known brands to trick victims into believing they are legitimate.
FBI Flash recommended mitigations: Patch, monitor and control
The FBI threat intel suggests several mitigative measures to counter this APT41 threat:
- Timely patching of web servers, browsers, browser plugins, document readers and other associated software is highly recommended
- If patches for vulnerabilities are not available, look for appropriate mitigative measures
- Keep antivirus software up to date
- Routinely audit configuration and patch management programs. These measures are particularly important as APT41 attacks are dependent on CVEs
- Implement MFA and use good password hygiene
- Audit remote logins
- Correlate internal and external credential use
- Log use of system administrator commands, such as net, ipconfig and ping
- Use suspicious behavior detection measures such as UEBA (user and entity behavior analytics). This can help detect anomalous access and other unusual events
- Enforce the principle of least privilege
- Scan and monitor internet-accessible applications
- Actively monitor server disk use and audit for significant changes
- Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs and email addresses
- Network device management interfaces, such as Telnet, SSH, Winbox and HTTP should be turned off
- Use principles of Zero Trust, “never trust, always verify.” And where possible, segment critical information on air-gapped systems. Use strict access control measures for critical data
A list of the indicators of compromise (IoC) for this cyberattack can be found in the original FBI Flash notice.
Initial access, MITRE ATT&CK
Chinese antivirus firm was part of APT41 ‘supply chain’ attack, Krebs on Security
External remote services, MITRE ATT&CK
How to detect and prevent web shells, Infosec
Web service: Dead drop resolver, MITRE ATT&CK