pixel_dreams - Fotolia

China's APT41 attacks Citrix ADC flaws in cyberespionage campaign

A dual cyberespionage and cybercrime group known as APT41 exploited vulnerabilities in Citrix NetScaler/ADC and other products in an extensive, global threat campaign.

In recent months, a Chinese state-sponsored threat group known as APT41 has executed one of the broadest cyberespionage campaigns from China in years, according to FireEye.

FireEye observed that between Jan. 20 and March 11, the Chinese advanced persistent threat group attempted to exploit known vulnerabilities in Citrix NetScaler/Application Delivery Controller (ADC), Cisco routers and Zoho ManageEngine Desktop Central at more than 75 FireEye customers. APT41 targeted organizations in countries including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, U.K. and the U.S. 

The new threat research, titled "This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits," was published on Wednesday and called the activity "one of the broadest campaigns" from Chinese nation-state actors in several years.

FireEye chief security architect Christopher Glyer, who co-authored the report, said the cyberespionage campaign was unusual in its size and scope. "This broad of an attack was more common in the past, and I think 2017 was probably a time we could think of a previous set of targeting that was similar in scope and scale," he said.

Within the two months of activity, the campaign targeted a multitude of industries, including banking, construction, government, healthcare, higher education, legal, manufacturing, oil and gas, pharmaceutical, telecommunications and transportation.

The exploitation of the Citrix NetScaler/ADC flaw was particularly notable, according to the report, because attacks began on Jan. 20; Citrix, which disclosed the flaw in December, began rolling out patches on Jan. 19. Glyer said NetScaler/ADC is an incredibly popular software application that is deployed in a broad range of organizations around the world.

"When there's an exploit like this, the impact can be disproportionately higher just given how popular their software is and how widely it's deployed," he said.

Glyer said they have seen activity from APT41 within the last week, but the bulk of activity observed by researchers was through March 11. The FireEye report noted that APT41 activity appeared to cease between Feb. 2-19. "While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry," FireEye stated in the report.

Dual threat

Dubbed a dual espionage and cybercime operation by FireEye, APT41 is unique among China-based actors because it utilizes nonpublic malware typically reserved for espionage campaigns in what appears to be activity for personal gain, according to a report from the vendor last August.

"Virtually every group we track is in espionage only or finance only," Glyer said. "This group and probably one other are the other ones I can think of that are dual."

During these recent exploits, APT41 used publicly available malware and tools such as Cobalt Strike, which FireEye observed as notable because "in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance."

"If you're doing a large exploitation campaign or phishing campaign, the likelihood that your activity will get picked up and discussed publicly is much higher," Glyer said. "So, by using publicly available malware and complementing it with custom, it's hard to identify who the breacher or hacker was. Customers use it to test different things in their networks and threat actors do, too. That makes it harder from an attribution perspective."

FireEye expects APT41 to continue to be one of the most prolific threats tracked by its threat researchers this year.

"This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage," FireEye wrote in the report.

Next Steps

Hackers port Cobalt Strike attack tool to Linux

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing