China-linked APT41 group exploits Citrix, Cisco, Zoho flaws

Pierluigi Paganini March 25, 2020

The China-linked group tracked as APT41 exploited vulnerabilities in Citrix, Cisco, and ManageEngine in a campaign on a global scale.

The China-linked cyberespionage group tracked as APT41 exploited vulnerabilities in Citrix, Cisco, and Zoho ManageEngine in a campaign on a global scale.

The campaign was uncovered by FireEye, threat actor targeted many organizations worldwide the world by exploiting vulnerabilities in Citrix, Cisco and Zoho ManageEngine products.

The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks since 2014. The group hit entities in several industries, including the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.

Unlike other China-based actors, the group used custom malware in cyber espionage operations, experts observed 46 different malware families and tools in APT41 campaigns.

According to the report published by , the state-sponsored hackers targeted more than 75 of its customers between January 20 and March 11.

“FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.” reads the advisory published by FireEye. “Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers.”

The hackers hit organizations in several countries, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and the USA. 

Victims operate in the Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. 

The experts pointed out that it is not clear if the attackers launched opportunistic attacks on a large scale or if they carried our targeted attacks.

“It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature,” continues FireEye.

The hackers initially exploited the CVE-2019-19781 flaw in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

The vulnerability could be exploited by attackers to access company networks.

FireEye researchers reported that APT41 started exploiting this flaw since January 20, but between January 23 and February 1 they did not observe any attack. The paused coincides with the Chinese Lunar New Year holidays which occurred between January 24 and January 30, 2020.

FireEye did not observe APT41 attacks between February 2 and February 19, 2020 that could be the result of the COVID-19 related quarantines.

On February 21, FireEye uncovered attacks exploiting a couple of vulnerabilities affecting Cisco RV320 and RV325 routers. 

On March 8, APT41 started exploiting the CVE-2020-10189 vulnerability in the Zoho ManageEngine Desktop Central. The attackers can exploit the vulnerability to execute code under the context of SYSTEM and take full control of the vulnerable ManageEngine systems,

“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years,” FireEye said. “While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.” concludes the report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT41, China)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment