Breaking News

Come Visit Geometric Future at Computex 2025 for Exciting New Cases and PC Accessories Gaming Beyond Limits, AI Beyond Imagination ASRock at Computex 2025 Acer releases many new products ahead of Computex 2025 DeepCool Unveils New Product Lineup at COMPUTEX 2025 KIOXIA Leads with Its Industry-Defining Breakthroughs and Technologies at COMPUTEX 2025

logo

  • Share Us
    • Facebook
    • Twitter
  • Home
  • Home
  • News
  • Reviews
  • Essays
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map

Search form

FireEye Warns About Chinese APT41 Global Intrusion Campaign Using Multiple Exploits

FireEye Warns About Chinese APT41 Global Intrusion Campaign Using Multiple Exploits

Enterprise & IT Mar 25,2020 0

U.S. cybersecurity firm FireEye has observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor the company has observed in recent years.

Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. Countries seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility.

It’s unclear if APT41 scanned the internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.

Starting on January 20, 2020, APT41 used the IP address 66.42.98[.]220 to attempt exploits of Citrix Application Delivery Controller (ADC) and Citrix Gateway devices with CVE-2019-19781 (published December 17, 2019).

FireEye did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways. The company observed a significant uptick in CVE-2019-19781 exploitation on February 24 and February 25.

Citrix released a mitigation for CVE-2019-19781 on December 17, 2019, and as of January 24, 2020, released permanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP.

On February 21, 2020, APT41 successfully exploited a Cisco RV320 router at a telecommunications organization and downloaded a 32-bit ELF binary payload compiled for a 64-bit MIPS processor named ‘fuc’ (MD5: 155e98e5ca8d662fad7dc84187340cbc). It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE’s (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and uses wget to download the specified payload.

Cisco PSIRT confirmed that fixed software to address the noted vulnerabilities is available and asks customers to review the following security advisories and take appropriate action.

On March 5, 2020, researcher Steven Seeley, published an advisory and released proof-of-concept code for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 (CVE-2020-10189). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers.

"This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years," said FireEye. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of FireEye's customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.

There were “multiple possible explanations” for the spike in activity, said FireEye Security Architect Christopher Glyer, pointing to tensions between Washington and Beijing over trade and more recent clashes over the coronavirus outbreak.

In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks.

Tags: Cyber AttackCybersecurityHacking
Previous Post
GSMA Announces Refunds for Canceled MWC Barcelona 2020
Next Post
HPE Releases Firmware Upgrade for SAS Solid State Drive Models to Prevent Drive Failure at 40,000 Hours

Related Posts

  • MSI has been hacked, be warned about where you download files

  • Hackers gain access to PS5 Debug Menu and show decrypted PS5 firmware files

  • HP Threat Research Shows Attackers Exploiting Zero‐Day Vulnerability Before Enterprises Can Patch

  • EA Gets hacked - 780GB of data and sourcecode stolen

  • European Supercomputers Researching Covid-19 Report Hacking Attacks

  • Texas Courts Faced a Ransomware Attack

  • Intel Confirms "Thunderspy" Risk in Thuerbolt Devices

  • Microsoft Offers You $100,000 If You Can Hack the Linux-based Azure Sphere

Latest News

Come Visit Geometric Future at Computex 2025 for Exciting New Cases and PC Accessories
Enterprise & IT

Come Visit Geometric Future at Computex 2025 for Exciting New Cases and PC Accessories

Gaming Beyond Limits, AI Beyond Imagination ASRock at Computex 2025
Enterprise & IT

Gaming Beyond Limits, AI Beyond Imagination ASRock at Computex 2025

Acer releases many new products ahead of Computex 2025
Enterprise & IT

Acer releases many new products ahead of Computex 2025

DeepCool Unveils New Product Lineup at COMPUTEX 2025
Cooling Systems

DeepCool Unveils New Product Lineup at COMPUTEX 2025

KIOXIA Leads with Its Industry-Defining Breakthroughs and Technologies at COMPUTEX 2025
Enterprise & IT

KIOXIA Leads with Its Industry-Defining Breakthroughs and Technologies at COMPUTEX 2025

Popular Reviews

be quiet! Light Loop 360mm

be quiet! Light Loop 360mm

be quiet! Dark Rock 5

be quiet! Dark Rock 5

be quiet! Dark Mount Keyboard

be quiet! Dark Mount Keyboard

G.skill Trident Z5 Neo RGB DDR5-6000 64GB CL30

G.skill Trident Z5 Neo RGB DDR5-6000 64GB CL30

Arctic Liquid Freezer III 420 - 360

Arctic Liquid Freezer III 420 - 360

Crucial Pro OC 32GB DDR5-6000 CL36 White

Crucial Pro OC 32GB DDR5-6000 CL36 White

Crucial T705 2TB NVME White

Crucial T705 2TB NVME White

be quiet! Light Base 600 LX

be quiet! Light Base 600 LX

Main menu

  • Home
  • News
  • Reviews
  • Essays
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map
  • About
  • Privacy
  • Contact Us
  • Promotional Opportunities @ CdrInfo.com
  • Advertise on out site
  • Submit your News to our site
  • RSS Feed