APT41 launches broad cyberespionage campaign.
FireEye disclosed a wide-ranging cyberespionage campaign launched by the China-linked actor APT41 against a variety of sectors in at least twenty countries. The operation ran from January 20th to March 11th, but FireEye observed a pause between January 23rd and February 1st, which coincides with the Chinese Lunar New Year holidays (those ran from January 24th to January 30th). APT41 is associated with China's intelligence services, but it's also been known to conduct financially motivated operations more in line with criminal groups.
In the recent campaign, the threat actor exploited vulnerabilities in Citrix ADC and Gateway devices, Cisco routers, and Zoho ManageEngine Desktop Central products. FireEye says this operation "shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage." The hackers exclusively used publicly available tools like Cobalt Strike and Meterpreter for their initial exploitation attempts.
The sectors targeted included "Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility." FireEye calls this activity "one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years."
Reuters reports that other cybersecurity firms have observed "a recent uptick in cyber-espionage activity linked to Beijing." Secureworks told the publication that it's tracking new infrastructure being used by APT41.