Chinese hacker collective APT41, which is often suspected to have links to the nation's governing authorities, is said to have carried out one of the largest known cyber espionage attacks in recent times. The report, which has been published online by cyber security research firm FireEye, noted a period between January 20 and March 11, during which APT41 attackers are said to have attempted exploits of known vulnerabilities of Cisco routers, Citrix Netscaler traffic controllers and Zoho's remote terminal management software. The total number of companies they attempted to infiltrate are at least 75, covering 20 countries and numerous critical fields of business such as finance, defense, oil & gas, and more.
Of the flaws that the Chinese APT41 group attempted to exploit, were Citrix's systems backdoor vulnerability, which was actually reported as a zero-day exploit (i.e. a previously unreported flaw) back in December. While the vulnerability was registered as CVE-2019-19781 and a patch was issued for it in January, this did not stop the group from looking for vulnerable systems using this flaw, and in turn installing system backdoors, which may be exploited even further at a later date to gain system privilege escalation, or even spy on sensitive organisation data.
The second objective in this series of attacks included targeting of Cisco's RV320 VPN routers for small and medium businesses, which began with the targeting of a telecom organisation, and was primarily identified as the attackers looking to gain remote code execution privilege on these routers. Interestingly, this too would have attempted to give the attackers unlimited leeway into accessing critical organisation files from a remote location, thereby raising the possibility of the state-backed attackers looking to execute large-scale data espionage.
Finally, the third exploitation by the APT41 group also revealed a zero-day vulnerability, now patched and listed as CVE-2020-10189. This flaw was targeted at Zoho's remote terminal management tools, and allowed the attackers to download specific Java and Microsoft payloads remotely on systems, following which the attackers seemingly attempted to use publicly available and known full-feature malware sets such as Cobalt Strike and Meterpreter to take down systems or gain access to privileged files.
FireEye has made a number of interesting observations regarding the APT41 attacks, revealing that while the hackers had previously showed a clear trait of making financially motivated attacks, their recent streak of attacks show a rather targeted exploit to spy on sensitive documents in organisations. The timeline also shows clear gaps in the attacks, which fall in line with the Chinese New Year vacations, and the coronavirus lockdown that was imposed by China back in February.
With at least 75 organisations affected with the spyware, FireEye has not given cues of exactly how much damage might the APT41 attacks have caused globally, since that would be difficult to estimate without companies undertaking self-audits and checks, as well as depend on any stolen document appearing on the Dark Web, or being forged by a competitor elsewhere. FireEye's report reveals India to be among the countries where companies were targeted, and with critical industries being listed as affected, the APT41 attacks may just have been one of the largest and most critical cyber attacks that happened in the recent years.