This article is more than 1 year old

Hey, China. Maybe you should have held your hackers off for a bit while COVID-19 ravaged the planet. Just a suggestion

Citrix, Cisco and Zoho-pwning APT41 attack wave seems in awfully bad taste

Proving that no good crisis ever goes to waste, Chinese government hacking crew APT41 launched a campaign that abuses vulns in Citrix Netscaler and Zoho ManageEngine, according to threat intel outfit FireEye.

As well as targeting load balancers and network management suites, the Chinese interference operatives spent three months, at the height of Wuhan's COVID-19 coronavirus outbreak, exploiting weaknesses in Cisco routers.

"This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years," intoned FireEye in a statement.

Their targets were indiscriminate, ranging from governments, banking and finance, oil and gas, pharmaceutical, tech, defence and more.

During January and February APT41's attacks were concentrated against Cisco devices using previously revealed vulnerabilities and what FireEye speculated was a pre-compiled list of vulnerable devices connected to the internet. Those devices did not have mitigations applied.

In early March the Chinese hackers picked up on CVE-2020-10189, a zero-day remote code execution vuln in Zoho ManageEngine Desktop Central. The proof of concept was released on 5 March; three days later APT41 was using it to exploit "more than a dozen FireEye customers", the firm said in a blog post.

While Zoho published a workaround for the vuln back in January, and a full patch was published on 7 March, that two-day gap was all the Chinese needed.

"It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter," commented FireEye. "While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance."

Earlier this year APT41, also known as the Winnti Group, was seen targeting Hong Kong protesters as part of the communist state's ongoing campaign to crush pro-democracy sentiment in the one-time British colony. The crew's first publicly noted tactics were the use of stealing security certificates to rip off video games firms, among others. ®

More about


Send us news

Other stories you might like