The Chinese language superior persistent risk (APT) actor tracked as Winnti (aka APT41) has focused at the least 13 organizations geographically spanning throughout the U.S, Taiwan, India, Vietnam, and China towards the backdrop of 4 completely different campaigns in 2021.
“The focused industries included the general public sector, manufacturing, healthcare, logistics, hospitality, schooling, in addition to the media and aviation,” cybersecurity agency Group-IB said in a report shared with The Hacker Information.
This additionally included the assault on Air India that got here to mild in June 2021 as a part of a marketing campaign codenamed ColunmTK. The opposite three campaigns have been assigned the monikers DelayLinkTK, Mute-Pond, and Mild-Voice based mostly on the domains used within the assaults.
APT41, often known as Barium, Bronze Atlas, Double Dragon, Depraved Panda, or Winnti, is a prolific Chinese cyber threat group that is recognized to hold out state-sponsored espionage exercise in parallel with financially motivated operations at the least since 2007.
Describing 2021 as an “intense 12 months for APT41,” assaults mounted by the adversary concerned primarily leveraging SQL injections on focused domains because the preliminary entry vector to infiltrate sufferer networks, adopted by delivering a customized Cobalt Strike beacon onto the endpoints.
“APT41 members often use phishing, exploit numerous vulnerabilities (together with Proxylogon), and conduct watering gap or supply-chain assaults to initially compromise their victims,” the researchers stated.
Different actions carried out post-exploitation ranged from establishing persistence to credential theft and conducting reconnaissance by living-off-the-land (LotL) strategies to collect details about the compromised surroundings and laterally transfer throughout the community.
The Singapore-headquartered firm stated it recognized 106 distinctive Cobalt Strike servers that have been completely utilized by APT41 between early 2020 and late 2021 for command-and-control. A lot of the servers are now not lively.
The findings mark the continued abuse of the official adversary simulation framework by completely different risk actors for post-intrusion malicious actions.
“Up to now, the instrument was appreciated by cybercriminal gangs concentrating on banks, whereas immediately it’s widespread amongst numerous risk actors no matter their motivation, together with notorious ransomware operators,” Group-IB Menace Analyst, Nikita Rostovtsev, stated.