APT41 Exploited Cisco, Citrix and Zoho Bugs in Wide-Ranging Campaign

Security researchers have described what they claim to be one of the most widespread threat campaigns from a Chinese APT group in recent years, exploiting Citrix and Zoho endpoints at scores of customer organizations.

FireEye explained in a new report that the state-sponsored APT41 group worked between January 20 and March 11 to target 75 customers with attacks on Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central products.

Although the group appeared to be working from a pre-selected group of targets, victim organizations ranged from a huge sweep of verticals, including telecommunications, manufacturing, healthcare, government, oil & gas, higher education, defense, industrial, pharmaceutical, finance, high-tech, petrochemical, transportation, construction, utilities, media, non-profit, legal, real estate, and travel.

Victims were located all over the globe, in the US, Canada, Switzerland, Philippines, Australia, UK, UAE, Finland, France, Malaysia, Denmark, Mexico, Qatar, Saudi Arabia, Sweden, Japan and Poland.

Their first target was Citrix ADC and Gateway devices exposed by the CVE-2019-19781 vulnerability. Although the CVE was only published on December 17 2019, it took the group less than a month to start exploiting it.

FireEye noted a lull in activity around the Chinese New Year holidays, and another drop off between February 2-19, which coincided with strict new Covid-19 quarantine measures in the country.

The group then went on to exploit a Cisco RV320 router at a telecoms firm on February 21, possibly using a Metasploit module combining CVE-2019-1653 and CVE-2019-1652.

APT41 was even quicker to exploit a new vulnerability (CVE-2020-10189) in the Zoho ManageEngine D ..

Support the originator by clicking the read the rest link below.