Security researchers have described what they claim to be one of the most widespread threat campaigns from a Chinese APT group in recent years, exploiting Citrix and Zoho endpoints at scores of customer organizations.
FireEye explained in a new report that the state-sponsored APT41 group worked between January 20 and March 11 to target 75 customers with attacks on Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central products.
Although the group appeared to be working from a pre-selected group of targets, victim organizations ranged from a huge sweep of verticals, including telecommunications, manufacturing, healthcare, government, oil & gas, higher education, defense, industrial, pharmaceutical, finance, high-tech, petrochemical, transportation, construction, utilities, media, non-profit, legal, real estate, and travel.
Victims were located all over the globe, in the US, Canada, Switzerland, Philippines, Australia, UK, UAE, Finland, France, Malaysia, Denmark, Mexico, Qatar, Saudi Arabia, Sweden, Japan and Poland.
Their first target was Citrix ADC and Gateway devices exposed by the CVE-2019-19781 vulnerability. Although the CVE was only published on December 17 2019, it took the group less than a month to start exploiting it.
FireEye noted a lull in activity around the Chinese New Year holidays, and another drop off between February 2-19, which coincided with strict new Covid-19 quarantine measures in the country.
The group then went on to exploit a Cisco RV320 router at a telecoms firm on February 21, possibly using a Metasploit module combining CVE-2019-1653 and CVE-2019-1652.
APT41 was even quicker to exploit a new vulnerability (CVE-2020-10189) in the Zoho ManageEngine Desktop Central product. A PoC was published on March 5 and the group began attempting to exploit the CVE just three days later at over a dozen FireEye customers, resulting in the compromise of at least five of them.
The raids highlight the resourcefulness and agility of this particular APT group, said the vendor.
“While APT41 has previously conducted activity with an extensive initial entry, such as the trojanizing of Netsarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41,” it concluded.
“It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents, APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.”
However, a FireEye spokesperson told Infosecurity that the motives for the campaign are still a mystery. APT41 is unusual in that previously it has been observed carrying out attacks for both traditional state-sponsored cyber-espionage and personal financial gain.