BREAKING: APT41 initiated a multi-month global campaign at over 75 @FireEye customers attempting to exploit Internet facing systems using recently released exploits for Citrix NetScaler/ADC, Cisco Routers & Zoho ManageEngine.
fireeye.com/blog/threat-re…
fireeye.com/blog/threat-re…
I've been analyzing @FireEye's telemetry over the last few months for attempts to exploit CVE-2019-19781 (Citrix ADC) and this is the first campaign I was able to find and tie to a specific threat actor.
The CVE-2019-19781 exploitation had three main phases 1) initial reconnaissance on January 20-21 executing the command 'file /bin/pwd' (APT41 was the only actor I could find executing this command) 
Then a lull in activity likely related to the Chinese Lunar New Year holidays.
Phase 2) Payload delivery on February 1st that (if successful) used FTP to download a payload named 'bsd' (if anyone has a copy of the sample - sharing is caring)
Phase 2) Payload delivery on February 1st that (if successful) used FTP to download a payload named 'bsd' (if anyone has a copy of the sample - sharing is caring)
Then another lull in activity that aligns w/ China initiating broader COVID-19 quarantines. **NOTE: APT41 may have remained active, which we were unable to observe
Phase 3) Payload delivery on Feb 24-25 that downloaded payload named 'un'. This was the largest volume of activity
Phase 3) Payload delivery on Feb 24-25 that downloaded payload named 'un'. This was the largest volume of activity
For those of you playing along at home - you may have seen a thread w/ @markpars0ns @chrisdoman @sysgoblin @bkmsft @colemankane that touched on next two phases of APT41's exploitation attempts (Cisco RV320 routers and Zoho ManageEngine Desktop Central)
APT41 exploited a Cisco RV320 router at a telecommunications organization. About 6% of the targeting in this campaign included telecommunications organizations. Why might APT41 be interested in telcos? 🧐🧐
Remember the MESSAGETAP malware?
fireeye.com/blog/threat-re…
Remember the MESSAGETAP malware?
fireeye.com/blog/threat-re…
We're not certain what exploit used, but there's a 2019 @metasploit module that enables remote code execution. APT41 deployed payload named 'fuc' (32-bit ELF binary compiled for 64-bit MIPs processor).
I've never seen/analyzed MIPs malware before. I assume payload is custom.
I've never seen/analyzed MIPs malware before. I assume payload is custom.
On March 5th, @steventseeley released Proof of Concept code for a Zoho ManageEngine zero-day (CVE-2020-10189). By March 8th - APT41 weaponized the POC and attempted to exploit more than a dozen organizations.
The CVE-2020-10189 exploitation activity is convoluted enough that you should probably just read the blog...but the TLDR is: exploit --> some combo of bitsadmin, powershell, Cobalt Strike backdoor, CertUtil, VMProtected Meterpreter downloader, BEACON shellcode
This isn't the first time we've observed APT41 leverage publicly available exploits to target internet facing systems. We've seen them use both CVE-2019-3396 (Atlassian Confluence) and CVE-2019-11510 (Pulse Secure VPN) as recently as October 2019.
I put my Visio skills to use and created this infographic to help summarize the APT41 exploitation activity, along with some key dates that *may* help explain the absence of activity.
Some unanswered questions I have about the activity:
The ManageEngine exploitation was ~3 days from POC release to weaponization. Why did it take ~10 days to attempt exploitation of Citrix ADC (for recon) and ~20 days to exploit it with an actual payload?
The ManageEngine exploitation was ~3 days from POC release to weaponization. Why did it take ~10 days to attempt exploitation of Citrix ADC (for recon) and ~20 days to exploit it with an actual payload?
