Chinese-based threat actor act fast when vulnerabilities found, warns FireEye

The recent attempt by a Chinese-based threat actor to exploit vulnerabilities in enterprise products from Citrix, Cisco Systems and Zoho is a good example of why patches have to be tested and installed as soon as possible, a new report from FireEye suggests.

The report issued last week focuses on a group dubbed APT41, which between Jan. 20 and March 11 attempted to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, the UAE, the U.K. and the United States.

The campaign started 10 days after Citrix publicly revealed a vulnerability (CVE-2019-19781) had been found in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, and Citrix SD-WAN WANOP appliance. The bug could allow an unauthenticated attacker to perform arbitrary code execution.

“This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage,” says the report.


Hashtag Trending – Hackers’ work interrupted; Zoom update removes Facebook code; Internet strain 


Citrix released a mitigation patch for CVE-2019-19781 on December 17, 2019. As of Jan. 24, it had released permanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP. While APT41 was looking for devices to exploit its real activity started February 1, suggesting that network admins that had applied the fixes would have been protected.

The report says on Feb. 21 a Cisco Small Business RV320 router at an unnamed telecommunications company was exploited by the gang and a file was downloaded. It isn’t known what exploit was used.

Then on March 8, APT41 attempted to exploit a vulnerability announced three days earlier (CVE-2020-10189) in some versions of the Zoho ManageEngine Desktop Central in more than a dozen FireEye customers. Five of those were actually hacked.

FireEye says it’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target. However, because the initial knocking on doors was only against Citrix devices it suggests APT41 had an already-known list of identified devices accessible on the internet.

FireEye believes the group has the backing of China and is known for conducting espionage for the government as well as a financially-motivated activity for itself.

The report notes the recent exploit attempts try to install publicly available backdoors such as Cobalt Strike and Meterpreter. “In previous incidents, APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now