The campaign was uncovered by
The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks since 2014. The group hit entities in several industries, including the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.
Unlike other China-based actors, the group used custom malware in cyber espionage operations, experts observed 46 different malware families and tools in APT41 campaigns.
According to the report published by , the state-sponsored hackers targeted more than 75 of its customers between January 20 and March 11.
“FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.” reads the advisory published by FireEye. “Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers.”
The hackers hit organizations in several countries, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and the USA.
Victims operate in the Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility.
The experts pointed out that it is not clear if the attackers launched opportunistic attacks on a large scale or if they carried our targeted attacks.
“It’s unclear if APT41 scanned the Internet and attempted exploitation en
The hackers initially exploited the CVE-2019-19781 flaw in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.
The vulnerability could be exploited by attackers to access company networks.
FireEye did not observe APT41 attacks between February 2 and February 19, 2020 that could be the result of the COVID-19 related quarantines.
On February 21, FireEye uncovered attacks exploiting a couple of vulnerabilities affecting Cisco RV320 and RV325 routers.
On March 8, APT41 started exploiting the CVE-2020-10189 vulnerability in the Zoho ManageEngine Desktop Central. The attackers can exploit the vulnerability to execute code under the context of SYSTEM and take full control of the vulnerable ManageEngine systems,
“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years,”