fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

US Govt: China-Sponsored Hackers Targeting Exchange, Citrix, F5 Flaws

US Govt: China-Sponsored Hackers Targeting Exchange, Citrix, F5 Flaws

China

Today, the US government issued an advisory on China-sponsored hackers attacking government agencies through vulnerabilities in Microsoft Exchange, Citrix, Pulse, and F5 devices and servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is an independent federal agency that protects against and coordinates responses to threats from private and state-sponsored hackers targeting United States interests.

In a new advisory today, CISA and the FBI warn that Chinese MSS-affiliated hackers are attacking US government agencies and private companies by exploiting vulnerabilities in publicly exposed edge systems.

“According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years. These hackers acted for both their own personal gain and the benefit of the Chinese MSS,” a CISA advisory warned today.

As part of their attacks, the Chinese threat actors are looking for vulnerable and publicly exposed devices using the Internet-device search engine Shodan and vulnerability databases, such as the Common Vulnerabilities and Exposure (CVE) and the National Vulnerabilities Database (NVD).

In particular, CISA has seen the threat actors targeting vulnerabilities in F5, Citrix, Pulse Secure, and Microsoft Exchange Server to gain access to an organization’s network or collect data.

The most notable vulnerabilities CISA has seen targeted by Chinese MSS-affiliated actors are:

  • CVE-2020-5902: F5 Big-IP Vulnerability -This vulnerability allows a remote attacker to access the Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC) without authentication and perform remote code execution.
  • CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances – Vulnerabilities in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP allow remote unauthenticated attackers to remotely execute commands to gain access to a network.
  • CVE-2019-11510: Pulse Secure VPN Servers – This vulnerability enables unauthenticated, remote attackers to send a specially crafted URIs to connect to vulnerable servers and read sensitive files containing user credentials. These can later be used to take control of an organizations’ systems and more.
  • CVE-2020-0688: Microsoft Exchange Server – This flaw is present in the Exchange Control Panel (ECP) component, and it is caused by Exchange’s failure to create unique cryptographic keys when being installed. Once exploited, attackers can perform remote code execution (RCE) on the server with SYSTEM privileges.

Also read: Website Ownership Laws: Your Rights And What It Protects

Attempt to spread laterally through a network

Once a network is compromised, the China-sponsored hackers will download a variety of tools that allow them to gain further access to computers on the network.

During digital forensics and incident response (DFIR), CISA has noted that the threat actors are commonly downloading specific tools as part of their attacks.

The most common tools are:

  • Cobalt Strike: Cobalt Strike is a legitimate adversary simulation platform intended to be used by security professionals to assess a network’s security. Threat actors are using cracked versions as part of their attacks to enable backdoor access to compromised systems and deploy additional tools on the network.
  • China Chopper Web Shell: This tool allows threat actors to install a PHP, ASP, ASPX, JSP, and CFM webshells (backdoor) on publicly exposed web servers. Once the China Chopper Web Shell is installed, the attackers gain full access to a remote server through the exposed web site.
  • Mimikatz: Mimikatz is a post-exploitation tool that allows attackers to dump Windows credentials stored in a computer’s memory.  This tool is commonly used by threat actors, including ransomware operations, utilize to gain access to administrator credentials, and therefore, compromise Windows domain controllers.

Using the above three tools, a threat actor can spread from a locked-down system to other devices until they gain full control of the network.

In addition, CISA warned that the threat actors are utilizing the Microsoft Exchange CVE-2020-0688 RCE vulnerability to “to collect emails from the exchange servers found in Federal Government environments.”

Suggested mitigations

To protect against these types of attacks, CISA and the FBI advise that all organizations perform routine audits of their infrastructure and implement a robust patch management strategy.

“CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems,” CISA and FBI advise in the advisory.

All organizations are strongly advised to make sure the following patches are installed on affected devices to prevent them from being exploited by threat actors.

VulnerabilityPatch Information
CVE-2020-5902F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902
CVE-2019-19781Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5
CVE-2019-11510Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
CVE-2020-0688Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Also read: 5 Self Assessment Tools To Find The Right Professional Fit

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us