Analysts at FireEye have identified a massive campaign run by the Chinese-backed APT41 threat group targeting multiple business sectors. This campaign leverages many vulnerabilities in products typically used by businesses in order to gain a foothold on enterprise systems. The exploits used are:
- CVE-2019-19781– Targets Citrix Application Delivery Controller and Gateway. Allows for Directory Traversal which can be used to access credential files.
- CVE-2020-1018 – Targets Zoho ManageEngine Desktop Central before 10.0.474. Allows for remote code execution.
The group moved incredibly quickly after the vulnerabilities were announced to develop and operationalize exploits against businesses targeted by these campaigns. CVE-2019-19781 was released a month before the campaigns began, and the remote code execution Proof Of Concept (POC) for CVE-2020-10189 was released three days before APT 41 began using it.
After gaining access to a system, APT41 was seen deploying either a Meterpreter downloader or a Cobalt Strike Beacon, which both communicated back to the same command and control servers.