Today, the US government issued an advisory on China-sponsored hackers attacking government agencies through vulnerabilities in Microsoft Exchange, Citrix, Pulse, and F5 devices and servers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is an independent federal agency that protects against and coordinates responses to threats from private and state-sponsored hackers targeting United States interests.
In a new advisory today, CISA and the FBI warn that Chinese MSS-affiliated hackers are attacking US government agencies and private companies by exploiting vulnerabilities in publicly exposed edge systems.
“According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years. These hackers acted for both their own personal gain and the benefit of the Chinese MSS,” a CISA advisory warned today.
As part of their attacks, the Chinese threat actors are looking for vulnerable and publicly exposed devices using the Internet-device search engine Shodan and vulnerability databases, such as the Common Vulnerabilities and Exposure (CVE) and the National Vulnerabilities Database (NVD).
In particular, CISA has seen the threat actors targeting vulnerabilities in F5, Citrix, Pulse Secure, and Microsoft Exchange Server to gain access to an organization’s network or collect data.
The most notable vulnerabilities CISA has seen targeted by Chinese MSS-affiliated actors are:
Also read: Website Ownership Laws: Your Rights And What It Protects
Once a network is compromised, the China-sponsored hackers will download a variety of tools that allow them to gain further access to computers on the network.
During digital forensics and incident response (DFIR), CISA has noted that the threat actors are commonly downloading specific tools as part of their attacks.
The most common tools are:
Using the above three tools, a threat actor can spread from a locked-down system to other devices until they gain full control of the network.
In addition, CISA warned that the threat actors are utilizing the Microsoft Exchange CVE-2020-0688 RCE vulnerability to “to collect emails from the exchange servers found in Federal Government environments.”
To protect against these types of attacks, CISA and the FBI advise that all organizations perform routine audits of their infrastructure and implement a robust patch management strategy.
“CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems,” CISA and FBI advise in the advisory.
All organizations are strongly advised to make sure the following patches are installed on affected devices to prevent them from being exploited by threat actors.
Also read: 5 Self Assessment Tools To Find The Right Professional Fit