Threat Alert: Malicious Group APT41 Initiates Citrix, Cisco and Zoho Vulnerability Exploit Campaign

A malicious group, known as APT41, have an ongoing campaign seeking to exploit vulnerabilities in internet-facing Citrix, Cisco and Zoho ManageEngine devices. Quorum Cyber experts recommend identifying any potentially affected systems and implementing fixes identified by the vendors. Full guidance and resources provided in the following sections.

ATP41 Global Intrusion Campaign

Yesterday, FireEye produced an article outlining a new campaign by the Chinese actor known as APT41.

The campaign seeks to access devices which are connected via the internet – targeting a wide range of countries and industries, including:

Affected Countries

Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, USA

Affected Industries

Banking/Finance, Construction, Defence Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, Utility

Recommended Actions

Quorum Cyber recommends identifying any potentially effected systems and implementing fixes identified by the vendors.

An external vulnerability scan may also be appropriate to verify these fixes have been properly implemented and to identify any other potential vulnerabilities with internet-facing systems. Further details on each vulnerability and resolution can be found below.

In addition, blocking communications with the IP addresses 66.42.98.220, 91.208.184.78 and 74.82.201.8 would be appropriate. In the following, we provide more detailed insight into each of the targeted vulnerabilities, and the recommended actions for you to secure your systems.

Citrix

Vulnerabilities

APT41 has been seen communicating via 66.42.98.220 and utilising CVE-2019-19781, a vulnerability in the Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliances. A wide range of Citrix systems have been affected which, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

The exploit affects the following supported Citrix products:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24
• NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18
• NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13
• NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15
• NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12
• Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b

Resolutions

Citrix has released mitigation and fixes for the issue. Mitigation steps should be implemented and verified until such time as you are able to implement the fix which resolves the issue. Full details are available via Citrix support.

Details regarding the mitigation can be found at: https://support.citrix.com/article/CTX267679

A fix has also been issued in the form of a build refresh on supported appliances:

Citrix ADC and Citrix Gateway
Version	Refresh Build	Release Date
10.5	10.5.70.12	24th January 2020 (Released)
11.1	11.1.63.15	19th January 2020 (Released)
12.0	12.0.63.13	19th January 2020 (Released)
12.1	12.1.55.18	23rd January 2020 (Released)
13.0	13.0.47.24	23rd January 2020 (Released)
Citrix SD-WAN WANOP
Release	Citrix ADC Release	Release Date
10.2.6b	11.1.51.615	22nd January 2020 (Released)
11.0.3b	11.1.51.615	22nd January 2020 (Released)

 

NB: If your build is already up to date, you need not implement the mitigation steps.

Cisco

Vulnerabilities

Continuing to use 66.42.98.220 for communication, APT41 has been seen exploiting Cisco Small Business RV320 routers to deliver a payload. The specific exploit utilised is currently unknown.

However, a Metasploit module combining two CVE’s appears to replicate similar activity to enable remote code execution and download the specified payload. These CVEs were CVE-2019-1653 and CVE-2019-1652.

The combination of these CVE’s affects the following Cisco products:

• Cisco Small Business RV320
• Cisco Small Business RV325

Resolutions

Cisco has released a fix for this issue with a complete fix available with Firmware Release 1.4.2.22. Full details regarding CVE-2019-1653 and regarding CVE-2019-1652 are available via Cisco support.

Zoho

Vulnerabilities

APT41 was observed communicating over 91.208.184.78 and utilising CVE-2020-10189 to perform remote code execution on Zoho ManageEngine Desktop Central devices. APT41 was found to be employing this vulnerability to launch two potential deployments of a payload. Firstly, to directly upload a Java based program containing commands to download and execute files obtained via PowerShell. The second variant used the Microsoft BITAdmin tool to download and install file obtained from known APT41 infrastructure (66.42.98.220).

Both variations were used to install a trial version of Cobalt Strike BEACON, a paid tool used in penetration testing allowing attackers (or red-teams) to deploy an agent on a victim’s machine.

The Cobalt Strike BEACON tool can grant a range of capabilities such as:

• Command execution;
• Keylogging;
• Privilege escalation;
• And more.

Using this tool, APT41 connected to a C2 address within the IP 74.82.201.8. It was noted that a secondary backdoor was often deployed, connecting to an alternative C2 address. This secondary exploit was found to be a VMProtected Meterpreter downloader to install BEACON shellcode. The use of a VMProtected binary is another known tactic by the actor.

This exploit affects Zoho ManageEngine Desktop Central prior to version 10.0.474.

Resolutions

Zoho has released a fix for this vulnerability with version 10.0.479. Full details are available via the ManageEngine Site.

For further information on the support our Security Operations Centre and Professional Services teams can provide you and your organisation, contact the Quorum Cyber team today.