Security researchers warn that a Chinese cyber espionage group has been attacking organisations worldwide by exploiting vulnerabilities in popular business applications and devices from companies such as Cisco, Citrix and Zoho.
In light of the ongoing Covid-19 crisis, the risk to companies is even greater, because IT staffs are working remotely and the rush to accommodate work-from-home employees might leave business applications exposed to the internet without adequate protection.
"Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers," researchers from security firm FireEye said in a report released today.
They also described the attacks as "the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years."
Who is APT41?
APT41 is a sophisticated, likely state-sponsored cyber espionage actor that has been operating since at least 2012 and whose actions seem to be aligned with China's five-year economic development plans.
Also known in the security industry as Barium or Winnti, the group has been involved in strategic intelligence collection from organisations in many sectors, but also in financially motivated attacks that predominantly targeted the online gaming industry. Some experts believe that it's operating as a contractor and has multiple teams with different goals.
In the past, APT41 has specialised in software supply-chain attacks. The group hacked into the software development environments of several software vendors and injected malicious code into digitally signed tools that were then distributed to customers through the normal software distribution channels.
One example is the 2017 attack against CCleaner that resulted in poisoned copies of the popular utility being distributed to 2.2 million users. The group is also believed to be responsible for ShadowPad, a software supply-chain attack that resulted in the distribution of malicious versions of a commercial enterprise server management tool called Xmanager.
"APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group," Fireeye said in a report about the group last year.
"APT41 quickly identifies and compromises intermediary systems that provide access to otherwise segmented parts of an organisation’s network. In one case, the group compromised hundreds of systems across multiple network segments and several geographic regions in as little as two weeks."
The researchers concluded that the group is well-resourced, highly skilled, creative and agile, adapting quickly to any attempts by its targets to remediate the infections.
APT41 compromises are typically widespread and highly persistent with the group ready to fight to maintain its foothold inside networks. Companies could have an even harder time to respond to such breaches now when members of their security and IT teams are working from home or are sick as a result of the COVID-19 pandemic.
Recent APT41 campaigns
The attacks observed by FireEye this year have targeted companies from many industries including banking/finance, defence, government, healthcare, high tech, manufacturing, oil & gas, pharmaceutical, telecommunications, and transportation worldwide.
Countries affected include the US, UK, Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland and the UAE.
Unlike previous campaigns where the group used phishing emails or Trojan malware, its attacks this year primarily involved targeting vulnerable systems and devices that were directly exposed to the internet.
One of the used exploits targeted a vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC; Citrix Gateway, formerly known as NetScaler Gateway; and the Citrix SD-WAN WANOP appliance.
The vulnerability, tracked as CVE-2019-19781, was disclosed in December and APT41 already added it to its arsenal by the end of January. The attacks resulted in the execution of a shell command that downloaded a backdoor over FTP.
"One interesting thing to note is that all observed requests were only performed against Citrix devices, suggesting APT41 was operating with an already known list of identified devices accessible on the internet," the FireEye researchers said.
In late February, FireEye also observed an attack by APT41 that compromised a Cisco RV320 router at a telecommunications organisation resulting in the installation of a malicious binary on the device.
While the researchers don't know exactly which exploit was used, they suspect it was a publicly available one that takes advantage of a command injection flaw (CVE-2019-1652) and an information disclosure issue (CVE-2019-1653) that Cisco patched last year in April.
Finally, starting March 8, FireEye observed APT41 attacks targeting ManageEngine Desktop Central, a Unified Endpoint Management (UEM) solution. ManageEngine is a division of Zoho.
The attacks started only three days after a security researcher published proof-of-concept code for a remote code execution vulnerability affecting Desktop Central versions prior to 10.0.474.
Zoho released a short-term fix for this flaw (CVE-2020-10189) in January in version 10.0.474 and a more comprehensive fix in build 10.0.479 on March 7.
The Desktop Central exploits were used to install a payload that downloaded a trial-version of the Cobalt Strike Beacon loader. Cobalt Strike is a commercial penetration testing tool and its Beacon component is a backdoor payload used for data exfiltration and additional payload deployment.
In fact, APT41 used the Cobalt Strike Beacon to then download Meterpreter, the attack payload component of the open-source Metasploit penetration testing framework.
"It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter," the FireEye researchers said. "While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.
"In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage."
Mitigation for the new APT41 attacks
Organisations who use the targeted software or devices should deploy the available mitigations or patches as soon as possible. If the current physical movement restrictions mandated by authorities as a result of COVID-19 makes patching difficult, companies should at the very least firewall those devices off the internet.
The vulnerable systems should also be isolated from the rest of the network or taken offline if alternatives can be deployed, because they could already be compromised. Companies can use the indicators of compromise and other information provided in the FireEye report to scan their networks.
The recent APT41 attacks highlight the risks associated with exposing sensitive business applications directly to the internet, which is something that companies might be under increased pressure to do given the current work-from-home situation.
However, remote management should always be performed through secure connections with VPNs or through zero trust access gateways.