The Health Secord Cybersecurity Coordination Center (HC3) has issued a warning about the Chinese state-sponsored threat actor tracked as APT41. The group has been active since at least 2012 and has a history of targeting the healthcare sector, as well as education, high-tech, media, retail, software, pharma, telecoms, video games, travel services, and virtual currencies, with companies in the United States frequently targeted.
The group is known to conduct spear phishing, watering hole, and supply chain attacks, and frequently deploys backdoors to give persistent access to victims’ networks. Recently the threat group has been observed using SQL injection for the initial attack and Cobalt strike beacons, which are uploaded in small chunks. The group gains access to networks and gathers intelligence that can be used in future attacks and steals industry-specific information.
Once initial access is gained, the group escalates privileges, performs internal reconnaissance using compromised credentials, moves laterally within networks using Remote Desktop Protocol (RDP), stolen credentials, adds admin groups, and brute forces utilities. The group uses public and private malware and maintains persistence through backdoors. The group is known to use the BLACK COFFEE reverse shell, China Chopper web shell, Cobalt Strike, Gh0st Rat and PlugX remote access tools, Mimikatz for credential theft, and the ShadowPad backdoor. Data of interest are added to a RAR file for exfiltration, and the group covers its tracks by deleting evidence of compromise.
APT41 – also known as Double Dragon, Barium, Winnti, Wicked Panda, Wicked Spider, TG-2633, Bronze Atlas, Red Kelpie – conducted targeted campaigns on the healthcare sector in 2014, 2015, 2016, 2018, 2019, and 2020. Initially, the group was interested in IT and medical device software companies but has also targeted biotech firms and US cancer research facilities. In the attacks on cancer research facilities, the group exploited the CVE-2019-3396 vulnerability in Atlassian Confluence Server to gain access to networks and deployed EVILNUGGET malware.
In one of the more recent campaigns targeting healthcare organizations between January 2020 and March 2020, the group targeted Citrix, Cisco, and Zoho endpoints, exploiting the CVE-2019-19781 Citrix directory traversal vulnerability, and the CVE-2020-10189 Zoho remote code execution vulnerability. At least 75 organizations were targeted in the campaign.
In 2021 and 2022, the group conducted two zero-day attacks on the Animal Health Reporting Diagnostic System (USAHERDS) web-based application and successfully compromised at least six US state governments. The attacks are thought to have involved exploitation of the Log4j remote code execution vulnerability (CVE-2022-44228) and the zero-day hard-coded credentials vulnerability, CVE-2021-44207, which allowed the group to bypass authentication.
Members of the group were named in two separate indictments in 2019 and 2020 concerning their involvement in computer intrusions at 100 companies globally; however, the group remains highly active, and the indictments do not appear to have slowed down the group’s operations. The group is a key player in helping to make China’s 14th Five-Year Plan a success and achieve major scientific and technological advances in new generation artificial intelligence, quantum information, integrated circuits/semiconductors, neuroscience and brain-inspired research, genetics and biotechnology, clinical medicine and health, and deep sea, deep space, and polar exploration. The group is considered to be a significant threat to the healthcare and pharmaceutical industries in the United States.
The post Healthcare Industry Warned About Risk Posed by APT41 Threat Group appeared first on HIPAA Journal.