The Chinese espionage group PIGFISH (a.k.a. APT41) has launched a global intrusion campaign starting from January 20th. FireEye reported that these intrusions seems to focus on the exploitation of the CVE-2019-19781 (Citrix ADC), CVE-2020-10189 (Zoho ManageEngine zero-day), and CVE-2019-1653 and CVE-2019-1652 (Cisco RV320/RV325 routers) vulnerabilities to achieve remote code execution for initial access.
Chinese actor APT41 is carrying out one of the broadest campaigns, currently going on and having started in January. APT41 is attempting to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 organizations in 20 countries.
Targeted Countries: The campaign targeted victims in Qatar, Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and USA.
Targeted Industries: The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility.
Vulnerabilities Exploited: CVE-2019-19781 in Citrix NetScaler/ADC, CVE-2019-1652 and CVE-2019-1653 in Cisco routers, and CVE-2020-10189 in Zoho ManageEngine Zero-Day Vulnerability,CVE-2019-3396 in Widget Connector macro in Atlassian Confluence Server.