Executive Summary

Date: January 2025

CVE-2021-44207 is a critical vulnerability identified in Acclaim USAHERDS versions up to 7.4.0.1. This vulnerability arises from the use of hard-coded credentials, which can be exploited by attackers to gain unauthorized access to systems and sensitive data. The vulnerability has been actively exploited in the wild, notably by the APT41 group, which has targeted U.S. state government networks. This report provides a detailed analysis of the vulnerability, its exploitation, and recommended mitigation strategies.

Technical Information

CVE-2021-44207 is a severe security flaw categorized under CWE-798, which pertains to the use of hard-coded credentials. This vulnerability is particularly concerning due to its high CVSS v3.1 score of 8.1, indicating a high level of risk. The vector for this vulnerability is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, which means it can be exploited over the network without requiring any user interaction or privileges, and it can lead to a complete compromise of confidentiality, integrity, and availability.

The affected software, Acclaim USAHERDS, is widely used in managing animal health and disease surveillance data. Versions up to 7.4.0.1 are vulnerable due to the presence of hard-coded credentials within the software. These credentials can be leveraged by attackers to gain unauthorized access to the system, potentially allowing them to execute remote code, exfiltrate sensitive data, or disrupt operations.

The vulnerability is particularly dangerous because it does not require any user interaction or elevated privileges to exploit. Once the hard-coded credentials are obtained, an attacker can easily access the system and perform malicious activities. This makes it a prime target for advanced persistent threat (APT) groups, which often seek to exploit such vulnerabilities for espionage or financial gain.

Exploitation in the Wild

The exploitation of CVE-2021-44207 has been observed in the wild, with the APT41 group being one of the primary actors leveraging this vulnerability. APT41, also known as BARIUM, BRASS TYPHOON, and WICKED PANDA, is a Chinese state-sponsored threat group known for its dual espionage and financially motivated operations. The group has been observed compromising at least six U.S. state government networks by exploiting this vulnerability. The exploitation involves using the hard-coded credentials to gain unauthorized access and potentially execute remote code, leading to significant data breaches and operational disruptions.

APT Groups using this vulnerability

APT41 is the primary group known to exploit CVE-2021-44207. This group has a history of targeting sectors such as government, healthcare, and pharmaceuticals. Their tactics, techniques, and procedures (TTPs) include the use of hard-coded credentials for unauthorized access and potential remote code execution. The group's activities have been linked to both state-sponsored espionage and financially motivated cybercrime, making them a significant threat to organizations using vulnerable software.

Affected Product Versions

The affected product is Acclaim USAHERDS, specifically versions up to 7.4.0.1. Organizations using these versions are at risk of exploitation and should take immediate action to mitigate the vulnerability.

Workaround and Mitigation

To mitigate the risks associated with CVE-2021-44207, organizations should apply vendor-provided patches and updates to affected systems as soon as they become available. If patches are unavailable, it is recommended to discontinue the use of vulnerable versions of the software. Additionally, implementing network segmentation and access controls can help limit exposure and reduce the potential impact of an exploit. Regularly reviewing and updating security policies and procedures is also crucial in maintaining a robust security posture.

References

For more detailed information on CVE-2021-44207, please refer to the following resources:

• NVD Entry for CVE-2021-44207: https://nvd.nist.gov/vuln/detail/CVE-2021-44207
• CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/news-events/alerts/2024/12/23/cisa-adds-one-known-exploited-vulnerability-catalog
• Mandiant Vulnerability Disclosure: https://github.com/mandiant/Vulnerability-Disclosures/blob/master/MNDT-2021-0012/MNDT-2021-0012.md
• Acclaim Systems Vendor Advisory: https://www.acclaimsystems.com

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat intelligence and vulnerability management solutions. We are here to support you in mitigating the risks associated with CVE-2021-44207 and other cybersecurity threats. For further assistance or inquiries, please contact us at ops@rescana.com.