Researchers from FireEye have discovered Chinese cyber threat group APT41 carry out a broad cyber campaign between January 20 and March 11, 2020. The actors have attempted to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central products against 75 FireEye customers.
FireEye observed the targeted attacks across a broad number of countries and industries.
“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years,” FireEye said in the blog post.
The report highlights APT41 exploits against Citrix, Cisco and Zoho products.
CVE-2019-19781: Citrix Application Delivery Controller (ADC) vulnerability
The APT41 actors began exploiting CVE-2019-19781 on certain Citrix system targets between January 20 and 21, 2020.
According to observed exploitation activity, APT41 executed command ‘file /bin/pwd’ to first confirm whether target systems were vulnerable. Second, the command would return more details around the architecture to help the actors in successfully deploying a backdoor.
“APT41 was operating with an already-known list of identified devices accessible on the internet,” FireEye added.
Citrix previously announced security updates for ADC and Gateway products on January 19, 2020, nearly a week after UK’s National Cyber Security Centre confirmed active exploits in the wild of the Citrix vulnerability CVE-2019-19781.
In addition, Citrix originally released details on the vulnerability on December 17, 2019, but had no patch available for download. As a result, security experts soon thereafter widely reported about exploits in the wild since early January.
Cisco router exploits
On February 21, 2020, APT41 successfully exploited a Cisco RV320 router at a telecom firm. However, FireEye could not confirm exactly which specific Cisco router vulnerability was exploited.
Two likely vulnerability candidates are CVE-2019-1653 and CVE-2019-1652, that could allow a remote attacker to execute code on Cisco RV320 and RV325 small business routers. Attackers could further use wget to download the specified payload.
CVE-2020-10189: Zoho ManageEngine Zero-Day Vulnerability
On March 8, FireEye spotted APT41 attempting to exploit a Zoho ManageEngine vulnerability CVE-2020-10189 at more than a dozen of its customers. As a result, five customers were compromised.
The attack came only three days after a security researcher Steven Seeley published an advisory and POC code for the zero-day vulnerability CVE-2020-10189 in Zoho ManageEngine Desktop Central versions prior to 10.0.474
Conclusion and outlook
FireEye has provided more details in the report, to include indicators of compromise and techniques used to pull off the vulnerability exploits. The security firm also noted that APT41 used publicly available malware such as Cobalt Strike and Meterpreter.
“In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage,” FireEye concluded.