Surge in attacks from China-linked APT41 targeting unpatched Citrix servers and Cisco routers
APT41 attacks carried out between January and March targeted unsecured Citrix NetScaler servers and Cisco routers
FireEye has warned of a surge in activity by APT41, also known as Winnti or Wicked Panda, a group linked to China's security services. The wave of attacks, carried out between January and March this year, targeted organisations across the world, including the US, UK, Singapore, Switzerland, Japan, Poland and Saudi Arabia - to name just a few.
APT41 sought to take advantage of security flaws in unpatched Citrix NetScaler servers, Cisco routers and Zoho ManageEngine Desktop Central, targeting 75 organisations in total. Targets included companies in telecoms, healthcare, defence and manufacturing, as well as public-sector organisations, non-profits and education.
Chinese state-sponsored APT41, notes FireEye, generally conducts espionage, but has also been engaged in financial motivated activity in the past.
It's unclear whether APT41 scanned the internet for targets and attempted exploitation en masse, or selected specific organisations, but the victims appear to be more targeted in nature, according to FireEye.
The primary attack vector has been the CVE-2019-19781 Citrix Application Delivery Controller (ADC) security flaw that Citrix was accused of being lackadaisical in addressing. While discovered and publicised in December, it wasn't until late January that the company finally issued the last patches. On top of that, many organisations have been equally lackadaisical in applying the patches.
Initially, claims FireEye, APT41 probed endpoints to confirm whether a system was vulnerable, and without Citrix's rushed-out mitigation applied. The much-criticised mitigation for the vulnerability was published by Citrix on 17 December, pending a series of patches, which were published throughout January.
There was a lull in activity from the group between 23rd January and 1st February, consistent with the Chinese New Year holiday period - "a common activity pattern by Chinese APT groups", according to FireEye.
From 1st February, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via FTP, FireEye reports.
"We did not observe APT41 activity at FireEye customers between 2nd February and 19th February 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on 23rd January and 24th January, and rolled out quarantines to additional provinces starting between 2nd February and 10th February.
"While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry. We observed a significant uptick in CVE-2019-19781 exploitation on 24th February and 25th February."
On 21st February, APT41 exploited a Cisco RV320 router at a telecoms organisation using an unknown exploit, "but there is a Metasploit module that combines two CVE's (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and uses ‘wget' to download the specified payload", according to FireEye.
At the beginning of March APT41 also deployed a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 at more than a dozen FireEye customers. Five separate customers were compromised as a result.
"This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years," claimed FireEye in its report published today.
"While APT41 has previously conducted activity with an extensive initial entry... this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41."
The group used publicly available tools, such as the Cobalt Strike threat-emulation tools and Meterpreter, which enables users to control devices, upload and download files, using VNC.