Cybereason’s Operation CuckooBees investigation uncovered a Chinese APT Winnti Group (APT41) campaign they believe has been exfiltrating intellectual property (IP) from multiple technology and manufacturing organizations since 2019. The campaign exploited vulnerabilities within an as-yet-unnamed enterprise resource planning (ERP) platform and was able to remain undetected by using an expansive list of malware, including a new strain named DEPLOYLOG. The attackers hosted the ERP platform on a Windows server and embedded a JSP code to deploy a web shell on the ERP web application using an RCE exploit.
Impact
Cybereason estimates that hundreds of gigabytes of information have been exfiltrated during the Winnti campaign. It also determined that the group deployed its signature WINNKIT rootkit, a driver that contains a variety of tools specifically designed to transfer data from host machines. Cybereason has not publicly disclosed the IOCs they observed in this attack, but has shared its findings with the FBI and DOJ.
DXC perspective
Despite being well known, WINNKIT is very difficult to detect. It is highly likely this campaign would still be ongoing if multiple companies had not engaged the Cybereason Nocturnus IR team to investigate intrusions. DXC has reached out to the researchers and was able to obtain a limited list of IOCs. The recommended ERP solution is ServiceNow, and DXC will continue to gather intelligence to determine which ERP was compromised to initiate the attack.