The recent attempt by a Chinese-based threat actor to exploit vulnerabilities in enterprise products from Citrix, Cisco Systems and Zoho is a good example of why patches have to be tested and installed as soon as possible, a new report from FireEye suggests.
The report issued last week focuses on a group dubbed APT41, which between Jan. 20 and March 11 attempted to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, the UAE, the U.K. and the United States.
The campaign started 10 days after Citrix publicly revealed a vulnerability (CVE-2019-19781) had been found in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, and Citrix SD-WAN WANOP appliance. The bug could allow an unauthenticated attacker to perform arbitrary code execution.
“This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage,” says the report.
Citrix released a mitigation patch for CVE-2019-19781 on December 17, 2019. As of Jan. 24, it had released permanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP. While APT41 was looking for devices to exploit its real activity started February 1, suggesting that network admins that had applied the fixes would have been protected.
The report says on Feb. 21 a Cisco Small Business RV320 router at an unnamed telecommunications company was exploited by the gang and a file was downloaded. It isn’t known what exploit was used.
Then on March 8, APT41 attempted to exploit a vulnerability announced three days earlier (CVE-2020-10189) in some versions of the Zoho ManageEngine Desktop Central in more than a dozen FireEye customers. Five of those were actually hacked.
FireEye says it’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target. However, because the initial knocking on doors was only against Citrix devices it suggests APT41 had an already-known list of identified devices accessible on the internet.
FireEye believes the group has the backing of China and is known for conducting espionage for the government as well as a financially-motivated activity for itself.
The report notes the recent exploit attempts try to install publicly available backdoors such as Cobalt Strike and Meterpreter. “In previous incidents, APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks.”