Show vulnerabilities with patch / with exploit
26 March 2020

APT41 uses Cisco, Citrix, Zoho exploits in global hacking campaing


APT41 uses Cisco, Citrix, Zoho exploits in global hacking campaing

Security researchers have warned about massive hacking campaign, in which a Chinese cyber espionage group has been attacking organizations worldwide by exploiting flaws in popular business applications and devices fr om companies such as Cisco, Citrix and Zoho. Targeted countries include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, the UK and the US.

"Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers," researchers from security firm FireEye said in a new report.

They have also described the operation as one of "the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years."

The list of targeted industries includes banking/finance, construction, defense industrial base, government, healthcare, high technology, higher education, legal, manufacturing, media, non-profit, oil & gas, petrochemical, pharmaceutical, real estate, telecommunications, transportation, travel, and utility sectors.

"It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature," the researchers noted.

The hackers first exploited CVE-2019-19781, a vulnerability affecting Citrix ADC and Gateway products. The group only tried to exploit Citrix devices, suggesting APT41 was operating with an already-known list of identified devices accessible on the internet.

As per report, APT41 started exploiting the vulnerability on January 20. Then the attackers apparently took a break between January 23 and February 1, which coincides with the Chinese Lunar New Year, and February 2-19, which could be related to COVID-19 coronavirus quarantine measures implemented in China.

"While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry," the researchers said.

In February, the APT41 hackers successfully compromised a Cisco RV320 router at a telecommunications firm by exploiting two vulnerabilities (CVE-2019-1653 and CVE-2019-1652) affecting Cisco RV320 and RV325 routers.

At the beginning of March, the group started exploiting CVE-2020-10189, a remote code execution vulnerability in Zoho ManageEngine Desktop Central solution, for which the details and a proof-of-concept exploit were published online on March 5 (before the vendor has addressed the flaw).

In the recent campaign APT41 has been observed using only publicly available tools such as Meterpreter and Cobalt Strike.

“While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood wh ere they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage,” FireEye concludes.

Back to the list

Latest Posts

Vulnerability summary for the week: March 27, 2020

Vulnerability summary for the week: March 27, 2020

Weekly vulnerability digest.
27 March 2020
Unpatched iOS bug prevents VPN apps from encrypting all traffic

Unpatched iOS bug prevents VPN apps from encrypting all traffic

Affected versions of iOS fail to close existing internet connections when a user connects to a VPN.
27 March 2020
Rare BadUSB attack detected in the wild

Rare BadUSB attack detected in the wild

This case is a perfect example of how simple social engineering, a Best Buy gift card, and an BadUSB device could be used to compromise a company.
27 March 2020