Coronavirus: Chinese Hackers APT41 Seek Exploits Amid Pandemic

Security researcher warn Chinese state-sponsored hackers are conducting a widespread campaign, despite the Coronavirus pandemic

Security researchers at FireEye have warned of a “widespread hacking campaign” being carried out by APT41, one of the most effective hacking teams backed by the Chinese government.

The campaign was carried out between 20 January and 11 March, and saw “APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers.”

Earlier this week 400 cyber-security experts from around the world came together in order to battle the scourge of Coronavirus-related hacking.

hacker

Chinese hackers

That group is called the Covid-19 CTI (cyber threat intelligence) League. It is made up of cyber experts from 40 countries and includes professionals in senior positions at major tech firms including Microsoft and Amazon.

But now according to FireEye, APT41 has targeted its customers in countries including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA.

Its attacks targeted industries such as Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility.

“It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organisations to target, but the victims appear to be more targeted in nature”, said FireEye.

The security researcher also noted that there has been a lull in APT41 activity between 23 January and 1 February, “which is likely related to the Chinese Lunar New Year holidays which occurred between 24 January and 30 January 2020. This has been a common activity pattern by Chinese APT groups in past years as well.”

“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years,” wrote FireEye. “While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.”

“In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks,” they said. “This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.”

Coronavirus pandemic

It seems almost unbelievable that hackers would choose to exploit the Coronavirus pandemic that is killing thousands around the world, to carry out their criminal activities.

However, a couple of weeks ago authorities warned of an increase in Coronavirus-related hacking, that is targetting individuals as well as particular industries.

The danger is is especially concerning as the pandemic means the risk to companies is even greater, because IT staff are working remotely, and the rush to accommodate work-from-home staff might leave business applications exposed without adequate protection.

FireEye warned in August 2019 that APT41, besides carrying out traditional state sponsored hacking, also dabbles in cyber crime operations for cash.

It said that members of API41 carried out state-sponsored espionage activity, in parallel with financially motivated operations.

Exploiting flaws

Security experts were quick to warn organisations to be aware of known vulnerabilities that can exploited by these hackers.

“The activities of APT41 illustrate that the attack method used by these notorious hacking groups aren’t particularly advanced,” noted Adam Palmer, chief cybersecurity strategist at Tenable. “They still focus primarily on commonly exploited vulnerabilities.”

“They just do this in an organised way – so rather than calling them advanced, maybe they should just be called organised persistent threats (OPTs),” said Palmer. “Rather than using zero day attacks, they go after operating systems and programs known to have easily exploitable flaws.

“For the security leader, the lesson is that it doesn’t require an advanced defense to defeat these attacks,” said Palmer. “Basic cyber hygiene will still close most of the holes these criminals are trying to climb through.”

Another expert warned IT teams not to overlook infrastructure equipment when assessing overall risks.

“Intruders continue to target infrastructure, not just endpoints and servers,” said Richard Bejtlich, principal security strategist at Corelight. “Defenders cannot ignore infrastructure devices like routers, switches, and VPN concentrators, assuming they are trustworthy and safe to use.”

“Instrument those devices using network security monitoring tools and methods to ensure that your trust is well-placed,” he said.

Do you know all about security? Try our quiz!