CVE-2021-44207

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported vulnerability in Microsoft Exchange Server (CVE-2020-0688), wherein the applications used a static validationKey and decryptionKey (collectively known as the machineKey) by default. In three investigations during 2021, APT41 exploited this zero-day vulnerability, which allowed them to successfully compromise at least six U.S. state government networks. This vulnerability was part of a broader trend of China-nexus intrusion sets heavily targeting Remote Code Execution (RCE) vulnerabilities and leveraging zero-day vulnerabilities. Other notable instances include the exploitation of CVE-2021-44228 by APT41, UNC3886's use of a local zero-day vulnerability in FortiOS (CVE-2022-41328) to deploy custom malware families on Fortinet and VMware systems in September 2022, and UNC4841's targeting of a Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) to gain access to ESG appliances and deploy additional malware. In September 2022, two Microsoft Exchange zero-day vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, were also exploited by an unidentified China-nexus intrusion set. These incidents underscore the persistent threat posed by such groups and the importance of addressing software vulnerabilities promptly. For further information regarding deserialization exploits, Mandiant has provided resources including a new hunting rule generation tool ‘HeySerial’ and a blog post titled "Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits".
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Exploit
Zero Day
RCE (Remote ...
Fortios
Remote Code ...
State Sponso...
Log4j
Webshell
Mandiant
Vulnerability
China
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KEYPLUGUnspecified
1
Keyplug is a modular backdoor malware written in C++, capable of supporting multiple network protocols for command and control (C2) traffic. This includes HTTP, TCP, KCP over UDP, and WSS. It was heavily used by APT41, also known as RedGolf, Winnti, Wicked Panda, Bronze Atlas, and Barium, a Chinese
keyplug.linuxUnspecified
1
Keyplug.linux is a malicious software (malware) that has been utilized by APT41, a highly adaptable and resourceful threat actor. This malware is known for its capacity to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's kno
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT41Unspecified
2
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, among other names, is a threat actor suspected to originate from China. With potential ties to the Chinese government, APT41 has been involved in complex cyber espionage operations since at least 2012, targeting organizations in at least
Unc3886Unspecified
1
UNC3886 is a threat actor with suspected links to Beijing, China, that has been active in the cyber-espionage landscape. A threat actor refers to any human entity behind the execution of actions with malicious intent, which can range from an individual hacker to a private company or even part of a g
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-44228Unspecified
2
CVE-2021-44228, also known as Log4Shell, is a critical vulnerability in the Apache Log4j software library that has been widely exploited since its discovery. This flaw in software design or implementation allows for remote code execution, making it a prime target for malicious actors. Despite multip
CVE-2022-41082Unspecified
1
CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
CVE-2020-0688Unspecified
1
CVE-2020-0688 is a significant vulnerability found in Microsoft Exchange Server, which pertains to memory corruption. This flaw allows for remote code execution by exploiting the fact that the application uses a static validationKey and decryptionKey (collectively known as the machineKey) by default
CVE-2023-2868Unspecified
1
CVE-2023-2868 is a significant software vulnerability that was identified in the Barracuda Email Security Gateway (ESG) appliances. This flaw, specifically a remote command injection vulnerability, was disclosed by Barracuda on May 30th, 2023. The vulnerability had been exploited as early as October
CVE-2022-41328Unspecified
1
CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in Septem
CVE-2022-41040Unspecified
1
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
Source Document References
Information about the CVE-2021-44207 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
6 months ago
A Summary of APT41 Targeting U.S. State Governments
CERT-EU
9 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online