The Chinese advanced persistent threat (APT) actor tracked as ‘Winnti’ has targeted at least 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China against the backdrop of four different campaigns in 2021.
The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and aviation, including the attack on Air India that came to light in June 2021 as part of a campaign codenamed ColunmTK. The other three campaigns have been assigned the monikers DelayLinkTK, Mute-Pond, and Gentle-Voice based on the domain names used in the attacks.
APT41 is a prolific Chinese cyber threat group that is known to carry out state-sponsored espionage activity in parallel with financially motivated operations at least since 2007. APT41 members usually use phishing, exploit various vulnerabilities (including Proxylogon), and conduct watering hole or supply-chain attacks to initially compromise their victims.
The attacks mounted by the adversary involved primarily leveraging SQL injections on targeted domains as the initial access vector to infiltrate victim networks, followed by delivering a custom Cobalt Strike beacon onto the endpoints. The Cobalt Strike Beacon was uploaded in smaller chunks of Base64-encoded strings as an obfuscation tactic to fly under the radar, before writing out the entire payload to a file on the infected host.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
