APT-41 Details
Compiled 9/20/2020
China Based - APT 41 Group
Aliases: Wicked Spider, Wicked Panda, Barium, Winnti Group, Axiom, Blackfly
This group has hacked over 100 organizations. Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan and Fu Qiang have all been indicted by the US Department of Justice, but are still at large. The hackers worked at Chengdu 404 Network Technology Company as White Hat Hackers.
APT-41's most popular entry points have been malware hidden inside fake resumes and supply chain hacks.
Examples of the supply chain hacks are CCleaner and ASUS LiveUpdate software update process.
APT-41 has also used the vulnerabilities in Citrix and Pulse VPNs to gain a foothold into their targets.
List of exploits used (per justice.gov press release)- CVE-2019-19781: Vulnerability in Citrix Application Delivery Controller, Citrix Gatewy, and Citrix SD-WAN WANOP appliae
- CVE-2019-11510: In Pulse Secure Pulse Connect Secure (PCS) 8.2 before.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 - arbitrary file reading vulnerability
- CVE-2019-16920: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface thatould lead to common injection
- CVE-2019-16278: Directry Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request
- CVE-2019-1652,CVE-2019-1653: vulerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers ould allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.
- CVE-2020-10189: Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class.
- ShadowPad - Backdoor
- PipeMon - Backdoor
- Winnti - Backdoor
- PortReuse - Backdoor
- AceHash - Credentials Harvester
- https://scmagazine.com/home/security-news/gaming/major-software-vendor-compromised-with-previously-undocumented-portreuse-backdoor/
- https://krebsonsecurity.com/220/09/chinese-antivirus-firm-was-part-of-apt41-supply-chain-attack/
- htps://www.fbi.gov/wanted/cyber/apt-41-group
- https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer