Hacking isn't canceled: Chinese group attacked Citrix and Zoho during coronavirus lockdown

State-backed hacking group APT41 exploited vulnerabilities in Citrix Netscaler, Cisco routers and Zoho ManageEngine Desktop Central. But a COVID-19 lockdown may have slowed their efforts.
Written by Danny Palmer, Senior Writer

A prolific state-backed Chinese cyber-espionage operation started 2020 with one of its largest hacking campaigns – even though the coronavirus lockdown in China appeared to have an impact on the group's output.

The global operation by hacking group APT41 – widely believed to be linked to the Chinese government – targeted businesses in telecoms, manufacturing, healthcare, defence, higher education, pharmaceuticals, banking, media, oil and gas, chemicals, plus government.

Campaigns by APT41 are often deployed in an effort to steal intellectual property – and there are some indications that the attacks are used to deploy general espionage and surveillance on target networks.

APT41's latest campaign started in January and continued through to March and has been discovered and detailed by researchers at cybersecurity company FireEye, who describe it as "one of the broadest campaigns by a Chinese espionage actor we have observed in recent years".

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 

The group's latest hacking campaign attempted to exploit recently uncovered vulnerabilities in Citrix Netscaler, Cisco routers and Zoho ManageEngine Desktop Central.

Researchers first observed activity around this campaign on January 20 as attackers attempted to exploit Citrix Application Delivery Controller (ADC) and Citrix Gateway devices, both of which are widely used and were revealed to contain a critical vulnerability (CVE-2019-19781) in December.

While a patch was released, those who didn't apply it remained vulnerable to attacks and that's something hackers looked to quickly exploit for their own gain before an apparent lull in activity between January 23 and February 1. Researchers attribute this break to Chinese New Year – a period where state-backed hacking activity out of the country regularly drops.

But there was also no trace of hacking activity between February 2 and February 19; researchers note that this coincides with coronavirus lockdown and quarantine measures implemented across several Chinese regions as the government attempted to prevent spread of COVID-19.

It could simply be the case that those employed to perform hacking activity on behalf of the Chinese state simply couldn't get to work in that time – and didn't have the capability to do it remotely.

However, activity resumed activity after February 19 and by the 24th and 25th, there was a huge rise in attempts to exploit CVE-2019-19781, with the attacks identical to those before the lockdown dates.

"We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry," the security company said.

This coincided with APT41 adding another attack to the campaign – targeting Cisco RV320 routers by using a proof-of-concept exploit that first appeared on GitHub. Researchers note that this tactic managed to breach the network of at least one telecommunications provider, providing the attackers with the ability to execute remote code on the target machine.

Shortly afterwards, researchers noted that the APT41 attacks were attempting to exploit another vulnerability; this time it was a zero-day remote code execution in Zoho ManageEngine Desktop Central (CVE-2020-10189). The attackers used it to target at least a dozen organisations and successfully gained access to the networks of five.

SEE: Report: Chinese hacking group APT40 hides behind network of front companies

The last recorded activity of this particular campaign was March 11, but it's likely only a matter of time before APT41 is once again attempting to compromise the networks of organisations around the world for the purposes of cyber espionage. It's also known for APT41 operatives to conduct their own hacking campaigns on the side to supplement their earnings.

All three vulnerabilities have been patched to prevent hackers from taking advantage and it's important that organisations apply these updates to protect their networks from unauthorised access, whether from nation-state backed hacking groups, or cyber-criminal crews – and to apply the patches as quickly as possible.

"APT41 continues to be one of the most prolific threats that FireEye currently tracks in 2020. This new activity from this group shows how resourceful and how quickly this group can leverage newly disclosed vulnerabilities to their advantage," said cybersecurity researchers at FireEye.


Editorial standards