Cybersecurity researchers recently issued a document saying that the hacker group APT41 from China initiated the largest intrusion since the establishment of the organization since the beginning of this year. Dozens of countries were impacted, including Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, United Kingdom, and the United States. The report pointed out that APT41 used vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central to attack subordinate organizations in many industries including banks/finance, construction, defense, government, medical, technology, higher education, law, manufacturing, media, non-profit, oil and gas, petrochemical, pharmaceutical, real estate, telecommunications, transportation, travel, and software from January 20 to March 11.
APT41 has been active since at least 2012, and its purpose is not fixed. The organization has launched attacks on companies in multiple industries, including gaming, medical, high-tech, higher education, telecommunications, and travel services. Unlike other APT organizations associated with China, this organization uses customized malware in cyber attacks. At present, experts have found 46 different malware families and tools in the attacks that have occurred. Experts claimed that it is unclear whether the attackers carried out large-scale random attacks or targeted attacks.
The attacker exploited the CVE-2019-1978 vulnerabilities in the Citrix Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN WANOP devices since January 20 to launch an attack on the victim’s network. Nevertheless, from January 23 to February 1, the researchers did not observe any attacks, and they predict that it was because of the Chinese New Year holiday from January 24 to January 30, 2020. Furthermore, the researchers did not observe that APT41 launched an attack between February 2 and February 19, 2020, which may be related to the separation caused by COVID-19.
On February 21st, the researchers also discovered the use of the Cisco RV320 and RV325 router related vulnerabilities to launch attacks. On March 8, APT41 then began to exploit the CVE-2020-10189 vulnerability of Zoho ManageEngine Desktop Central. Attackers can use this system to execute code with SYSTEM permissions in order to fully control the ManageEngine system. APT41 has carried out a large number of attack preparation activities before, such as the transformation of NetSarang software, and rapid information collection for some targets. In the recent attacks launched by APT41, publicly used tools such as Meterpreter and Cobalt Strike would be used first. After determining that the victim is a high-value target, more advanced malware will be deployed.
For mission-critical systems, the LIFARS Incident Response Team is deployed to the local enterprise environment. The LIFARS digital forensics process then laterally engages in affected systems and potentially compromised endpoints in the network with high speed and precision. Our mission is to minimize the threat surface, minimize the extent of the compromise, and minimize the damage associated with the cyber attack. Our network forensics process leverages our in-depth expertise from our highly advanced digital forensics investigations, combined with IoCs and TTP from our proprietary knowledge base. Our Cyber Incident Response services include:
- Forensics and Digital Investigations
- Mobile Forensics
- Memory Forensics
- Network Forensics
