Chinese cyber-espionage group APT41 has been attacking organisations worldwide by exploiting vulnerabilities in popular business applications and devices from companies such as Cisco, Citrix and Zoho, warned FireEye researchers.
The Covid-19 lockdown in China seems to have little effect on the operations of the threat group, but its target organisations are at a greater risk because of its IT staff working remotely. The rush to accommodate remotely-working employees has left business applications without the protection offered by office firewalls.
"Between 20 January and 11 March, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers," said the FireEye report. FireEye lists the attack as the broadest campaign by a Chinese cyber-espionage actor recorded recently.
“Countries we’ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA,” said the report.
The industries targeted are banking & finance, construction, government, healthcare, high technology, higher education, legal, manufacturing, media, non-profit, oil & gas, petrochemical, pharmaceutical, real estate, telecommunications, transportation, travel, and utility.
“It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organisations to target, but the victims appear to be more targeted in nature,” the report said.
APT41, also known as MISSION2025, is suspected to be a Chinese state-sponsored threat actor, possibly working for the Chinese government, said Masahiro Yamada, associate vice president threat research at CYFIRMA.
“The threat actor is believed to be active since at least 2012. MISSION2025’s objective is consistent with China's national strategies highlighted as ‘Made in China 2025’, a plan announced in 2015 that aims to shift China's economy toward higher value products and services, including IT, Robotics, energy efficiency, electric vehicles, aerospace equipment, ocean engineering, high tech ships, railway equipment, power equipment, new materials, medicine and medical devices, and agriculture machinery,” Yamada told SC Media UK.
CYFIRMA suspects that MISSION 2025 has been operating a long-running campaign named VISION 2025 and there are some sub campaigns under VISION 2025, all of which have different targeting strategy and purpose.
“Most industries, globally, have been targeted by the VISION 2025 campaign. Our research shows that the activities reported by FireEye are a part of VISION 2025,” said Yamada.
CYFIRMA research says the motivation of the sub campaigns under the VISION 2025 includes the following:
- steal intellectual properties, solution/technology details, PII, and customer information to help Chinese industries and/or monetise stolen data.
- cause reputational damages against a specific industry, company, country, etc.
- expand their infrastructure to be used for their campaigns and operations.
“From our analysis of their recent campaigns, CYFIRMA suspects MISSION 2025 has expanded their campaign targets to not only servers but also internet-facing devices including network devices and IoT devices,” said Yamada.
“In the past, they were putting more focus on cyber-espionage instead of exploiting and compromising internet-facing systems. They often targeted code-signing certificates. Once they get the certificates, they can sign their malware using the stolen valid certificates. And they often target VPN credentials once they gain access to the target organisations’ networks.”
Additionally, they have been known to use backdoor named Winnti (aka Highnoon). However, CYFIRMA suspects Winnti is shared with a few other Chinese nation-sponsored hacking groups, said Yamada.
CYFIRMA has evidence suggesting MISSION2025 uses customised Mirai bot to target Linux systems including Network devices and IoT devices. The attack includes bruteforce against telnet and SSH and also vulnerabilities exploits against DSL modems and GPON routers, D-Link and NETGEAR, Huawei routers, and Realtek SDK.
“Another Chinese state-sponsored hacking group named Stone Panda has been operating a long-running campaign named “RedWall”. One of the main purposes of RedWall is listing vulnerable assets of their potential target organisations and affiliates. We suspect the vulnerable asset list is not only used by Stone Panda but also by other Chinese state-sponsored hacking groups,” Yamada added.