The Chinese cyberattack group APT-41 (also known as Bario or Winnti) is an old acquaintance of the cybersecurity community due to their cyberattacks. According to MITRE ATT&CK, it is a state-backed group of Chinese origin, which has been active since 2012. It seems to have been involved both in gathering strategic intelligence from multinationals and in attacks with financial motives on such a wide range of sectors and video games, healthcare, and telecommunications and telecommunications.

Its last major cyberattack targeted the two latter sectors: a group of analysts has discovered that, in the last two months, APT-41 has tried to exploit vulnerabilities in devices and applications of several companies specialized in B2B business technology solutions: Cisco, Citrix and Zoho, taking advantage of the fact that many companies have been forced to telework because of the COVID-19 pandemic.

Vulnerabilities in uncertain times_

The researchers who discovered the case explain in their report that, between January 20 and March 11 this year, APT-41 carried out targeted attacks on 75 companies in multiple sectors, including telecommunications, finance, industry, healthcare, public administration, and even defense. Their method is to exploit vulnerabilities in B2B technologies that are commonly used by many companies in these uncertain times. Among the vulnerabilities that have been exploited are:

  • Vulnerability CVE-2019-19781 in Citrix Application Delivery Controller (ADC): this vulnerability partially affects the integrity and confidentiality of systems. Although it was discovered on December 17, it didn’t take long for APT-41 to exploit it, both on Chinese New Year and during the confinement enforced during the COVID-19 pandemic.
  • Vulnerabilities CVE-2019-1653 and CVE-2019-1652 in Cisco routers: In this case, the group attacked a telecommunications company on February 21, combining both vulnerabilities, possibly via a module of Metasploit, which is an open source tool commonly used for pen-testing in the cybersecurity community.
  • Vulnerability CVE-2020-10189 in the solution Zoho ManageEngine Desktop Central: on March 5 a PoC (proof of concept) was published. The group began to exploit this vulnerability just three days later, managing to carry out a successful cyberattack on at least five companies.

Update and patch_

The cyberattacks undertaken by APT-41 demonstrate that these organized, state-supported groups are extremely quick to exploit vulnerabilities in business applications; sometimes it takes them just two or three days to carry out a cyberattack once a vulnerability has been discovered.

This is why the first line of defense against this kind of cyberattack is to have fully updated systems, which are patched as soon as a vulnerability appears. However, this task is not a simple one; IT departments frequently do not have enough resources or time to discover every vulnerability or to perform this task alone.

To respond to this need, Cytomic clients can rely on several comprehensive services for IT operations. Among these is Cytomic Patch: thanks to this service, vulnerabilities in operating systems and hundreds of common third-party applications commonly found in business environments can be identified and managed in real time. What’s more, it offers a centralized patching mechanism from Cytomic’s cloud console.

Its main advantage is that the module does not depend on vulnerability scanning systems, a slow process that can take days or even weeks. Instead, it leverages data already gathered by our agent in order to provide real-time visibility into the company’s risk exposure from outdated applications or operating systems or discontinued and vulnerable applications. This way, from the single console, IT security teams can verify the update status, and schedule necessary updates, or apply them immediately. They can thus always keep systems up to date and keep groups such as APT-41 from carrying out cyberattacks through vulnerabilities in their business systems.