The Health Sector Cybersecurity Coordination Center (HC3) has given an alert concerning the Chinese state-sponsored threat actor monitored as APT41. This threat group has been active since 2012 and has a record of attacking the healthcare industry. It also attacks the media, education, high-tech, retail, software, pharmaceutical, telecommunications, travel services, video games, and virtual currencies. It mostly targets organizations in the United States.
The group carries out spear phishing, supply chain attacks, and watering hole. It often deploys backdoors to provide persistent access to the network of victims. Lately, the threat group was noticed utilizing SQL injection for the preliminary attack and Cobalt strike beacons that are uploaded in little bits. The group obtains access to systems and collects intelligence to be employed in later attacks and steals industry-related data.
As soon as preliminary access is acquired, the group elevates privileges, moves laterally inside networks utilizing Remote Desktop Protocol (RDP), stolen credentials, executes internal reconnaissance utilizing compromised credentials, and adds brute forces utilities and administrative groups. The group employs public and private malware and retains persistence by means of backdoors. The group is recognized to employ the China Chopper web shell, BLACK COFFEE reverse shell, Gh0st Rat and PlugX remote access tools, Cobalt Strike, Mimikatz for stealing credentials, as well as the ShadowPad backdoor. Information of interest is included in a RAR file for extraction, and the group hides its trails by removing proof of compromise.
APT41 – sometimes called Double Dragon, Winnti, Barium, Wicked Panda, TG-2633, Red Kelpie, Wicked Spider, Bronze Atlas – carried out attacks on the healthcare industry in 2014, 2015, 2016, 2018, 2019, and 2020. At first, the group had an interest in IT and medical device software firms, then likewise targeted biotech companies and US cancer research centers. During the attacks on cancer research centers, the group took advantage of the CVE-2019-3396 vulnerability present in Atlassian Confluence Server to obtain access to systems and used the EVILNUGGET malware.
During its recent campaigns on healthcare companies from January 2020 to March 2020, the group attacked Cisco, Citrix, and Zoho endpoints, taking advantage of the CVE-2020-10189 Zoho remote code execution vulnerability, and the CVE-2019-19781 Citrix directory traversal vulnerability. No less than 75 companies were attacked during the campaign.
In 2021 and 2022, the group carried out two zero-day attacks on the Animal Health Reporting Diagnostic System (USAHERDS) web-dependent app and succeeded in compromising a minimum of six US state governments. The attacks are believed to have included exploiting the Log4j remote code execution vulnerability (CVE-2022-44228) as well as the zero-day hard-coded data vulnerability, CVE-2021-44207, which enabled the group to circumvent authentication.
Group members were identified in two different indictments in 2019 and 2020 regarding their participation in computer infiltrations at 100 organizations around the world; nevertheless, the group is still very active, and the indictments don’t seem to have slackened the group’s campaigns. The APT41 group is a major participant in making China’s 14th Five-Year Plan successful and using significant scientific and technological improvements in the new generation of artificial intelligence, semiconductors/integrated circuits, quantum data, neuroscience, and brain-motivated research, health and clinical medicine, genetics and biotechnology, and deep space, deep sea, and polar search. The group is regarded as a considerable threat to the medical care and pharmaceutical sectors in the U.S.