Connect with us

Hi, what are you looking for?



China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign

A China-linked threat actor tracked as APT41 has targeted many organizations around the world by exploiting vulnerabilities in Citrix, Cisco and Zoho ManageEngine products, FireEye reported on Wednesday.

A China-linked threat actor tracked as APT41 has targeted many organizations around the world by exploiting vulnerabilities in Citrix, Cisco and Zoho ManageEngine products, FireEye reported on Wednesday.

APT41 has been active since at least 2012 and it has targeted a wide range of organizations worldwide. The group has launched both cyberespionage campaigns and financially-motivated attacks, but FireEye told SecurityWeek that it hasn’t been able to determine the end goal or motivation of this latest campaign.

FireEye says the Chinese hackers targeted more than 75 of its customers between January 20 and March 11, including in the banking, defense industrial base, construction, government, tech, healthcare, higher education, manufacturing, legal, media, oil and gas, non-profit, pharmaceutical, petrochemical, real estate, transportation, travel, utility and telecommunication sectors.

Targeted entities were located in the US, Canada, Switzerland, Philippines, Australia, UK, UAE, Finland, France, Malaysia, Denmark, Mexico, Qatar, Saudi Arabia, Sweden, Japan and Poland.

“It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature,” FireEye said.

The threat group first exploited CVE-2019-19781, a vulnerability affecting Citrix ADC and Gateway products. The flaw was disclosed in December — before patches were released — and the first attacks exploiting the weakness were spotted in January.

According to FireEye, APT41 started exploiting the vulnerability on January 20. The attackers apparently took a break between January 23 and February 1, which coincides with the Chinese Lunar New Year, and February 2-19, which could be related to COVID-19 coronavirus quarantine measures implemented in China.

Advertisement. Scroll to continue reading.

On February 21, FireEye researchers spotted the hackers exploiting a couple of vulnerabilities affecting Cisco RV320 and RV325 routers. Exploitation of these flaws was first observed in January 2019.

Then, on March 8, APT41 started exploiting CVE-2020-10189, a vulnerability in ManageEngine Desktop Central for which details were disclosed on March 5 by a researcher, before the vendor could release any patches. This flaw is believed to have also been exploited by another China-linked group known as Winnti and Barium.

The recent attacks launched by APT41 involved only publicly available tools such as Meterpreter and Cobalt Strike. Researchers said the group typically deploys more advanced malware after conducting some reconnaissance to determine if the victim is of value.

“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years,” FireEye said. “While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.”

Related: Chinese Cyberspies Use New Malware to Intercept SMS Traffic at Mobile Operators

Related: Chinese Cyber-Spies Target US-Based Research University

Related: Chinese Cyberspies Continue Targeting Medical Research Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.