Chinese hackers hit Citrix, Cisco vulnerabilities in sweeping campaign

栏目: IT技术 · 发布时间: 4年前

内容简介:Mar 25, 2020 | CYBERSCOOPEarlier this year, state-backed Chinese hackers embarked on one of the most sweeping Chinese espionage campaigns FireEye has seen in years, according to new research the security firm published Wednesday.The campaign, which lasted
Written by

Mar 25, 2020 | CYBERSCOOP

Earlier this year, state-backed Chinese hackers embarked on one of the most sweeping Chinese espionage campaigns FireEye has seen in years, according to new research the security firm published Wednesday.

The campaign, which lasted between January 20 and March 11, targeted 75 organizations ranging in nearly every economic sector: telecommunications, healthcare, government, defense, finance, petrochemical, manufacturing, and transportation. The campaign, believed to be run byAPT41, targeted nonprofit, legal, real estate, travel, education, and media organizations as well.

“This activity is one of the most widespread campaigns we have seen fromChina-nexus espionage actors in recent years,” researchers Christopher Glyer, Dan Perez, Sarah Jones, and Steve Miller said. “While APT41 has previously conducted activity with an extensive initial entry … this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.”

APT41 zeroed in on victims by going after vulnerabilities in Citrix’s Application Delivery Controller (ADC), Cisco’s routers, and Zoho’s ManageEngine Desktop Central, according to FireEye .

TheCitrix vulnerability was publicly revealed a month prior to APT41’s campaign, and a researcher only revealed code for a zero-day remote code execution vulnerability inZoho ManageEngine Desktop Central three days before the group took advantage, suggesting the group is interested in promptly taking advantages of reported flaws.

“This new activity from this group shows how resourceful and how quickly this group can leverage newly disclosed vulnerabilities to their advantage,” the researchers said.

FireEye does not have a copy of the malware deployed against the Cisco routers, but has reason to believe APT41 designed malware in-house to make its targeting a success, Glyer told CyberScoop.

“It is likely that APT41 had to develop custom malware to target Cisco routers because public samples are not available,” Glyer said.

It’s not the first time APT41 has gone after the telecommunications sector . Last year, the group was focused on collecting call records data and text messages after it breached a telecommunications company, according to an earlierFireEye investigation. At the time, Steve Stone, advanced practices director at FireEye, told CyberScoop APT41 appeared interested in political dissidents’ conversations.

FireEye only uncoveredAPT41 activities for the first time last year, and while the group has been known to conduct state-sponsoredcyber-espionage, it has also run cyber-operations aimed at personal orfinancial gain. APT41 has also targeted thegaming sector, hacked organizations focused oncancer research, and successfully exploited an Atlassian Confluence vulnerability against a U.S. based university, according to FireEye.

APT41 in this campaign in particular went after the banking sector most frequently, followed by higher education and manufacturing and technology targets, FireEye Chief Security Architect Chris Glyer told CyberScoop.

Knowledge of targets and diverse access

Although some targets of APT41’s campaign earlier this year echo its previous crusades, the attack’s goals are less clear.

In February, APT41 was able to successfully exploit aCisco RV320 router at a telecommunications entity, but FireEye does not have visibility into what exploit was used. It’s also unclear if APT41 actually stole any data from its targets throughout the campaign.

“Based on our current visibility it is hard to ascribe a motive or intent to the activity by APT41,” Glyer told CyberScoop. “There are multiple possible explanations for the increase in activity including the trade war between the United States and China as well as the COVID-19 pandemic driving China to want intelligence on a variety of subjects including trade, travel, communications, manufacturing, research and international relations.”

Glyer said the most likely explanation for the broad targeting was that APT41 is working to set current and future collection requirements. If it’s any indication of what is a priority, the Citrix-based targeting made up the lion’s share of APT41’s focus, Glyer said.

The group’s Citrix-based targeting indicates APT41 may have had some prior knowledge of their targets, suggesting the campaign was tailored.

“[A]ll observed requests were only performed against Citrix devices, suggesting APT41 was operating with an already-known list of identified devices accessible on the internet,” the researchers wrote.

To exploit vulnerabilities in both the Citrix ADC and Citrix Gateway devices between January and February, thehackers first did an initial check to see if the target had already applied the patch for CVE-2019-19781 and to collect architecture information that can help the group to install a backdoor later. With a brief pause in activity during both Lunar New Year — as is typical for Chinese hackers — and during coronavirus-related quarantines in China, APT41 eventually worked to download an unknown payload, named ‘bsd,’ which FireEye suspects to be a backdoor.

APT41 also proved to be adept at reacting to changes in victims’ environments. The hackers’ exploitation of the Zoho vulnerability, for instance, showed they were concerned about keeping access to victim’s machines. FireEye says the group worked to use both a Meterpreter downloader and a Cobalt Strike BEACON shellcode, both of which communicated with the same command and control server.

“We believe this is an example of the actor attempting to diversify post-exploitation access to the compromised systems,” the researchers write.

One clue the hackers may have worked to conceal their activities may lie in the fact that the hackers only relied on publicly available malware, such as Cobalt Strike and Meterpreter, in this campaign, since using malware at this stage “can this make attribution more difficult,” Glyer told CyberScoop.


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

裂变式创业

裂变式创业

宗毅、小泽 / 机械工业出版社 / 2016-1-1 / 39.84

互联网大潮汹涌来袭,传统企业增长乏力,互联网公司跨界冲击,转型之路迫在眉睫。“转型找死,不转型等死”这一坊间传说让多数企业徘徊不前,不少实体经济面临困境,敢问路在何方? 宗毅独创裂变式创业,用人民币投票选总经理,规定自己不投钱不能参与竞选;不相信干股,不使用职业经理人,用金融的方式管理现金流。用商业模式颠覆传统公益,打通南北充电之路;摇身一变成为自媒体,用产品建立社群。自己写故事,自己当导演......一起来看看 《裂变式创业》 这本书的介绍吧!

图片转BASE64编码
图片转BASE64编码

在线图片转Base64编码工具

SHA 加密
SHA 加密

SHA 加密工具

Markdown 在线编辑器
Markdown 在线编辑器

Markdown 在线编辑器