CVE-2021-44207

CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported vulnerability in Microsoft Exchange Server (CVE-2020-0688), wherein the applications used a static validationKey and decryptionKey (collectively known as the machineKey) by default. In three investigations during 2021, APT41 exploited this zero-day vulnerability, which allowed them to successfully compromise at least six U.S. state government networks. This vulnerability was part of a broader trend of China-nexus intrusion sets heavily targeting Remote Code Execution (RCE) vulnerabilities and leveraging zero-day vulnerabilities. Other notable instances include the exploitation of CVE-2021-44228 by APT41, UNC3886's use of a local zero-day vulnerability in FortiOS (CVE-2022-41328) to deploy custom malware families on Fortinet and VMware systems in September 2022, and UNC4841's targeting of a Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) to gain access to ESG appliances and deploy additional malware. In September 2022, two Microsoft Exchange zero-day vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, were also exploited by an unidentified China-nexus intrusion set. These incidents underscore the persistent threat posed by such groups and the importance of addressing software vulnerabilities promptly. For further information regarding deserialization exploits, Mandiant has provided resources including a new hunting rule generation tool ‘HeySerial’ and a blog post titled "Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits".