Chinese Hacking Group “APT41” is targeting corporate networks using exploits in Citrix, Cisco, Zoho appliances

Recently, security researchers at FireEye discovered that the Chinese state-sponsored hacking group named “APT41” is launching targeted cyber attacks on corporate and government networks by using recent vulnerabilities in Citrix NetScaler/Application Delivery Controller (ADC), Cisco routers, and Zoho ManageEngine Desktop Central appliances and devices.

It was found that the targeted countries included Australia, Canada, USA, India, France, UK, Denmark, UAE, and many others. Whereas, the organizations from almost every industry segment was affected.

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.

Starting from Jan 20 to March 05, 2020, FireEye observed that 75 of their customers are being targeted by exploiting vulnerabilities in Citrix, Cisco & Zoho appliances.

These attacks on FireEye customers appeared to be more targeted by APT41 due to remote work shifts in companies to avoid COVID-19 spread.

FireEye also provided information on how and when this hacking group exploited these vulnerabilities.

The exploitation of Citrix Application Delivery Controller (ADC) [CVE-2019-19781]:

Initially, APT41 tried to exploit previously infected Citrix appliances which displays that the hacking group already had obtained a list of infected servers by performing Internet scans.

Then in Feb 2020, they downloaded an unknown payload named ‘bsd’ via File Transfer Protocol (FTP). (Which was likely a backdoor).

“We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry.”, said FireEye.

Cisco Router Exploitation [CVE-2019-1653] & [CVE-2019-1652]:

On February 21, APT41 exploited a Cisco RV320 router that belonged to a telco organization.

“It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE’s (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and uses wget to download the specified payload.”, said FireEye.

Zoho ManageEngine Zero-Day Vulnerability Exploitation [CVE-2020-10189]:

On March 8, APT41 deployed two separate variations (install.bat and storesyncsvc.dll) of payloads to exploit zero-day vulnerabilities in Zoho ManageEngine that targeted more than a dozen FireEye customers.

But, at least five of them were found compromised and exposed to arbitrary code execution attacks.

In both variations, the install.bat file was used to install a trial version of the Cobalt Strike BEACON backdoor named storesyncsvc.dll that further downloaded a VMProtected Meterpreter downloader.

This isn’t the first time the APT41 Chinese hacking group leveraged publicly exposed vulnerabilities to target organizations. Previously, APT41 abused vulnerabilities in Pulse Secure VPN [CVE-2019-11510] and Atlassian Confluence [CVE-2019-3396] against a U.S. based university.

“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years“, said FireEye in a report.

See Also:
> VMware fixes critical vulnerabilities in its Workstation and Fusion Products
> NordVPN Fixed Serious Vulnerabilities In Their Platform