According to FireEye, Chinese hackers are behind a series of recent attacks they use Zoho, Citrix and Cisco exploits to target Appliances, used by various Companies worldwide. The researchers said that behind the attacks is state hacking APT41 team. Most attacks is targeted.
Corresponding attacks have been going on for years
As FireEye notes, the recent APT41 campaign is one of the most widespread attacks espionage, that they have accomplished Chinese hackers, in recent years.
“From January 20 to March 11, FireEye followed APT41's effort to exploit vulnerabilities on Citrix NetScaler / ADC, Cisco routers and Zoho ManageEngine Desktop Central ”, the company report says.
The APT41 is one of the most successful Chinese hacking teams. It is believed to be associated with Chinese government. It has been active since at least 2012 and is known for espionage and attacks targeting large industries but also simple ones users.
In this recent campaign, Chinese hackers are attacking companies in various sectors: banks and money and finance Companies, government services, technology companies, oil and gas, telecommunications, services healthcare, media and construction companies.
As we have said above, Chinese hackers carry out mainly targeted attacks. Target companies are located in many countries (USA, United Kingdom, France, Italy, Japan, Saudi Arabia and Switzerland etc.).
“It's not clear if APT41 scanned it Internet and attempted mass exploitation or if he chose a subset of specific organizations to target. However, they appear to be targeted attacks"FireEye researchers added.
Chinese hackers took advantage of the vulnerability CVE-2019-19781 that affects it Citrix Application Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers.
During these attacks, there were fluctuations. The Chinese hackers they were either very active or completely stopped their activities.
As FireEye discovered, the breaks coincide with Chinese holidays and quarantine measures taken by the Chinese government in response to its pandemic COVID-19.
“This decrease in activity is likely to be related to COVID-19 quarantine measures in China. However, Chinese hackers may have remained active in other ways that we could not observe, ”the researchers said.
Zoho and Cisco exploits
On February 21, Chinese hackers hacked the router Cisco RV320 of a telecommunications organization, but researchers FireEye could not determine which Cisco exploits the hackers used to attack.
“It is not known which exploits were used, but there is one Metasploit module, combining two vulnerabilities (CVE-2019-1653 and CVE-2019-1652), which allow remote code execution on routers, ”FireEye said.
APT41 then took advantage of the zero-day vulnerability CVE-2020-10189 on Zoho ManageEngine, which allows hackers to execute code as SYSTEM / root on non-upgraded systems.
Since March 8, the day after Zoho's CVE-2020-10189 fix, Chinese hackers have attacked FireEye clients and managed to breach the systems of at least five people.
The hackers then installed a trial version of it Cobalt Strike BEACON loader and installed another backdoor used to download one VMPprotected Meterpreter downloader.
This is not the first time APT41 has used public exploits to target vulnerable people systems.
"This new activity from this team shows how quickly the recently published vulnerabilities can be exploited."