China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign
A China-linked threat actor tracked as APT41 has targeted many organizations around the world by exploiting vulnerabilities in Citrix, Cisco and Zoho ManageEngine products, FireEye reported on Wednesday.
APT41 has been active since at least 2012 and it has targeted a wide range of organizations worldwide. The group has launched both cyberespionage campaigns and financially-motivated attacks, but FireEye told SecurityWeek that it hasn’t been able to determine the end goal or motivation of this latest campaign.
FireEye says the Chinese hackers targeted more than 75 of its customers between January 20 and March 11, including in the banking, defense industrial base, construction, government, tech, healthcare, higher education, manufacturing, legal, media, oil and gas, non-profit, pharmaceutical, petrochemical, real estate, transportation, travel, utility and telecommunication sectors.
Targeted entities were located in the US, Canada, Switzerland, Philippines, Australia, UK, UAE, Finland, France, Malaysia, Denmark, Mexico, Qatar, Saudi Arabia, Sweden, Japan and Poland.
“It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature,” FireEye said.
The threat group first exploited CVE-2019-19781, a vulnerability affecting Citrix ADC and Gateway products. The flaw was disclosed in December — before patches were released — and the first attacks exploiting the weakness were spotted in January.
According to FireEye, APT41 started exploiting the vulnerability on January 20. The attackers apparently took a break between January 23 and February 1, which coincides with the Chinese Lunar New Year, and February 2-19, which could be related to COVID-19 coronavirus quarantine measures implemented in China.
On February 21, FireEye researchers spotted the hackers exploiting a couple of vulnerabilities affecting Cisco RV320 and RV325 routers. Exploitation of these flaws was first observed in January 2019.
Then, on March 8, APT41 started exploiting CVE-2020-10189, a vulnerability in ManageEngine Desktop Central for which details were disclosed on March 5 by a researcher, before the vendor could release any patches. This flaw is believed to have also been exploited by another China-linked group known as Winnti and Barium.
The recent attacks launched by APT41 involved only publicly available tools such as Meterpreter and Cobalt Strike. Researchers said the group typically deploys more advanced malware after conducting some reconnaissance to determine if the victim is of value.
“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years,” FireEye said. “While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.”