Breaking Badness Episode 203
Podcasts

APT 41’s VPN Exploits & The Great Firewall’s Leaky Secrets

03/19/2025
iTunes SoundCloud Spotify RSS

In this episode of Breaking Badness, we dive into two major cybersecurity stories: the exploitation of a VPN vulnerability by Chinese APT 41 and the newly discovered “Wall Bleed” flaw in the Great Firewall of China.

APT 41 has been using a critical VPN vulnerability to infiltrate operational technology (OT) organizations, targeting industries like aerospace and defense. Meanwhile, researchers have uncovered a flaw in China’s DNS injection system, which inadvertently leaks internal data—an ironic twist for a government known for its strict internet censorship.

Join us as we break down these exploits, their impact on cybersecurity, and what they reveal about modern cyber espionage. We also discuss best practices for securing VPNs, firewall vulnerabilities, and the ethical implications of studying censorship technologies.

APT 41 Exploits VPN Vulnerability in OT Organizations

Who is APT 41?

APT 41, also known as Winnti, Double Dragon, or Barium, is a well-known Chinese state-sponsored hacking group.

“APT 41… they’ve compromised at least 100 companies worldwide.They do all the usual techniques malware, supply chain attacks. “Tim Helming

What’s the Vulnerability?

APT 41 is exploiting CVE-2024-24919, a vulnerability in Check Point security gateways. This flaw allows attackers to access sensitive files and directories without authentication, making it an attractive target for cyber espionage.

“You can’t really have a VPN device that’s not exposed to the Internet, or it won’t do the thing. By definition this is not like some devices where we can give the advice not to expose it on the Internet. “ – Tim Helming

Why OT Organizations Are Prime Targets

OT organizations—especially those in aerospace and defense—are frequent espionage targets due to their sensitive intellectual property. APT 41’s goal appears to be stealing critical data rather than disrupting infrastructure.

“We’re not seeing evidence that there is compromise of actual OT devices. Manufacturing processes and automation devices and stuff like that being compromised is not what we seem to be observing here right now. It’s more in lines of intellectual property theft. ” – Tim Helming

How Many Systems Are Still at Risk?

According to past research from GreyNoise, nearly 800 IP addresses attempted to exploit this vulnerability shortly after it was disclosed. A scan by Censys identified over 13,000 unpatched devices at the time.

While many have since been patched, some organizations remain vulnerable, making continued monitoring crucial.

Key Takeaways for Security Teams

  • Patch VPN vulnerabilities immediately – Especially for internet-exposed devices like security gateways.
  • Use multi-factor authentication (MFA) – While this attack was unauthenticated, weak VPN credentials remain a major risk.
  • Monitor for lateral movement – APT 41 used the compromised VPNs to access Active Directory environments, escalating their access.

Read the article from Dark Reading here.

“Wall Bleed”: The Great Firewall of China’s DNS Flaw

What is Wall Bleed?

A group of researchers uncovered a flaw in the DNS injection system of China’s Great Firewall. The vulnerability—dubbed “Wall Bleed”—allows attackers to extract up to 125 extra bytes of unintended data from DNS responses.

This resembles the infamous Heartbleed vulnerability from 2014, which leaked sensitive memory from TLS servers.

How Was This Discovered?

Researchers probed the Great Firewall’s DNS filters for years, collecting leaked data. They found that the custom-built censorship mechanisms inadvertently exposed:

  • Internal IP addresses used for censorship.
  • HTTP headers and SMTP commands from inside the firewall.
  • Censorship decision processes within the firewall’s infrastructure.

“So they noticed this in, it looks like late 2021 ish. And then for a number of years poked at the resolvers inside and around the great firewall to leak data out of the great firewall about. A number of things, but, they just gave them a little bit of access to see what was going on there.” Taylor Wilkes-Pierce

What This Means for Global Cybersecurity

  1. The Great Firewall is not invulnerable – China’s censorship tools have exploitable flaws.
  2. State-run cyber defenses can have unintended leaks – even advanced systems can introduce vulnerabilities.
  3. This could provide insights into bypassing censorship – researchers and activists may use this knowledge to develop better circumvention techniques.

Read the full Great Firewall Report here.

Watch on YouTube

That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!

Related Content

Five people are shown in black and white at the bottom of a blue gradient background. Text reads "DFIRSIDE CHAT: PART 2," highlighting a DFIR discussion. The top right corner features the "Breaking Badness Podcast" logo.
Podcasts

DFIR Foundations: Real-World Lessons in Containment, Eradication, and Recovery

Listen Now
Five smiling people are shown in black and white below the text “DFIRSide Chat: Part 1” on a blue gradient background. In the top right, the “Breaking Badness Podcast” logo appears, hinting at a discussion on Russian disinformation.
Podcasts

DFIRside Chat: Lessons from the Frontlines of Incident Response

Listen Now
Podcast cover art titled "Liar, Liar, Domain on Fire" showcases a DNS Masterclass theme. It features three people: one with long hair and glasses, another in a furry hat, and one with short hair. The "Breaking Badness Podcast" logo graces the top right corner.
Podcasts

How Russian Disinformation Campaigns Exploit Domain Registrars and AI

Listen Now
DomainTools Logo
Pricing Contact Login Support Request a Demo

© 2025 DomainTools

DomainTools® and DomainTools™ are owned by DomainTools, all rights reserved.

Privacy Policy    |    California Privacy Notice
Do Not Sell My Personal Information    |    Terms of Service    |    Sitemap