CISA believes Chinese state-sponsored hackers are targeting critical cyberinfrastructure in the US and other countries by exploiting unpatched vulnerabilities.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Monday to inform the federal government and private sector entities about a new wave of cyberattacks against targeted against them by Chinese state-sponsored hackers.
The advisory also emphasized the need to patch flaws in several critical software and devices, including F5 BIG-IP devices, Pulse Secure VPNs, Citrix VPN, and Microsoft Exchange servers.
The advisory should not come as a surprise because:
1: Hackers leaked highly sensitive data of 900 Pulse Secure VPN servers on a hacker forum last month.
2: Hackers were found exploiting a critical vulnerability in the Microsoft Exchange server in March 2020.
3: Citrix VPN suffered a data breach in 2019 in which 6TB of data from the enterprise software developer was stolen – An easy way for hackers to exploit flaws.
The US government revealed that Chinese threat actors had targeted many public and private sector entities in the past few months by compromising vulnerabilities in the programs mentioned above. Victims were identified via sources like Shodan and the National Vulnerabilities Database (NVD).
The agency stated that threat actors affiliated with the Chinese Ministry of State Security are using “commercially available information sources and open-source exploitation tools to target US Government agency networks.”
They quickly exploit a publicly disclosed vulnerability to launch attacks against vulnerable targets to fulfill their nefarious motives.
Although patches for all these flaws are already available, organizations haven’t yet upgraded their systems. This is why they are vulnerable to targeted hack attacks, claimed [PDF] CISA.
Both CISA and the FBI urge organizations to audit their patch management programs and configurations regularly to timely detect and mitigate threats. Organizations in both the public and private sectors must implement a “rigorous configuration and patch management program” to deter the sophisticated Chinese threat actors.
CISA revealed that hackers from China are exploiting two common vulnerabilities to attack federal and private sector organizations. The first vulnerability is present in F5’s Big-IP Traffic Management User Interface (CVE-2020-5902).
The other is an arbitrary file reading vulnerability in Pulse Secure VPN appliances (CVE-2019-11510), which caused the Travelex breach earlier in 2020. Around 8,000 F5 Network’s BIG IP networking devices users were identified as vulnerable to this flaw by July 2020.
“Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance,” CISA noted.
Moreover, hackers are hunting for Citrix VPN Appliances that are vulnerable to CVE-2019-19781. This flaw allows attackers to execute directory traversal attacks. Attackers are also exploiting Microsoft Exchange server remote code execution flaw (CVE-2020-0688) that lets them collect emails from targeted networks.
CISA also pointed out common TTP that threat actors are currently using, including the Cobalt Strike commercial penetration testing tool that attackers use for attacking federal government and commercial networks. Threat actors are also deploying the China Chopper open-source tool effectively against organization networks. They are also using Mimikatz open-source tool.
CISA further noted that hackers are using malicious links in spearphishing emails, exploiting public-facing apps. In one case, they scanned a federal government agency for vulnerable web servers and vulnerabilities in network appliances (CVE-2019-11510). They are conducting reconnaissance of the federal government’s internet-facing systems shortly after the “significant CVEs” disclosure.
Therefore, CISA asserts that federal and private sector organizations must employ a rigorous patching cycle to initiate flawless defense against these threat actors. If critical flaws aren’t patched, attackers can successfully launch attacks without developing custom malware or exploits. They can easily use previously unknown flaws to compromise a network and legit websites to gain initial access.
“Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.”