26 March 2020

APT41 uses Cisco, Citrix, Zoho exploits in global hacking campaing


APT41 uses Cisco, Citrix, Zoho exploits in global hacking campaing

Security researchers have warned about massive hacking campaign, in which a Chinese cyber espionage group has been attacking organizations worldwide by exploiting flaws in popular business applications and devices fr om companies such as Cisco, Citrix and Zoho. Targeted countries include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, the UK and the US.

"Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers," researchers from security firm FireEye said in a new report.

They have also described the operation as one of "the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years."

The list of targeted industries includes banking/finance, construction, defense industrial base, government, healthcare, high technology, higher education, legal, manufacturing, media, non-profit, oil & gas, petrochemical, pharmaceutical, real estate, telecommunications, transportation, travel, and utility sectors.

"It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature," the researchers noted.

The hackers first exploited CVE-2019-19781, a vulnerability affecting Citrix ADC and Gateway products. The group only tried to exploit Citrix devices, suggesting APT41 was operating with an already-known list of identified devices accessible on the internet.

As per report, APT41 started exploiting the vulnerability on January 20. Then the attackers apparently took a break between January 23 and February 1, which coincides with the Chinese Lunar New Year, and February 2-19, which could be related to COVID-19 coronavirus quarantine measures implemented in China.

"While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry," the researchers said.

In February, the APT41 hackers successfully compromised a Cisco RV320 router at a telecommunications firm by exploiting two vulnerabilities (CVE-2019-1653 and CVE-2019-1652) affecting Cisco RV320 and RV325 routers.

At the beginning of March, the group started exploiting CVE-2020-10189, a remote code execution vulnerability in Zoho ManageEngine Desktop Central solution, for which the details and a proof-of-concept exploit were published online on March 5 (before the vendor has addressed the flaw).

In the recent campaign APT41 has been observed using only publicly available tools such as Meterpreter and Cobalt Strike.

“While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood wh ere they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage,” FireEye concludes.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024