Chinese state-backed hackers are targeting U.S. organizations for espionage purposes, with access to computer systems usually gained by exploiting unpatched vulnerabilities. Hackers are scanning for unpatched systems and use publicly released or homegrown exploits to gain a foothold in networks with a view to stealing intellectual property and sensitive data.
On Tuesday, the U.S. National Security Agency (NSA) published a list of 25 vulnerabilities in software systems and network devices that are commonly exploited. In all cases, patches have been released to fix the flaws and, in some cases, those patches have been available for several years.
The NSA is urging all U.S. organizations to apply the patches as soon as possible to correct the vulnerabilities to prevent exploitation.
“We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems,” said NSA Cybersecurity Director Anne Neuberger.
Remote access vulnerabilities are commonly targeted, as these vulnerabilities can be exploited to provide immediate, highly privileged access to the hackers. There are 7 commonly targeted vulnerabilities in this group:
- CVE-2019-11510 – Pulse Secure VPN servers
- CVE-2019-19781 – Citrix VPN appliances
- CVE-2019-0708 –Windows Remote Desktop Protocol (BlueKeep)
- CVE-2020-5902 – F5 Big-IP traffic management interface
- CVE-2020-8193 – Citrix ADC and Citrix Gateway
- CVE-2020-8195 – Citrix ADC and Citrix Gateway
- CVE-2020-8196 – Citrix ADC and Citrix Gateway
Vulnerabilities are exploited in public facing servers, allowing the attackers to bypass web authentication for sensitive information. The attackers can then pivot to internal networks. Once control of a site has been gained, the attackers perform watering hole attacks and target users that visit those sites. Vulnerabilities commonly exploited to achieve this aim include CVE-2020-1350, CVE-2018-6789, and CVE-2018-4939.
Network devices are compromised to intercept and modify traffic but can also serve as a launchpad for further attacks on an organization. Network devices tend to be patched slowly and are therefore a common weak link. Vulnerabilities often exploited include CVS-2017-6327, CVE-2020-3118, and CVE-2020-8515.
Once initial access is gained to a network, vulnerabilities are exploited to obtain credentials, elevate privileges, and move laterally to compromise entire networks. CVE-2020=1472 and CVE-2019-1040 are being exploited for this purpose.
Internal servers contain intellectual property that is highly valuable to hackers. Commonly exploited vulnerabilities in internal servers include CVE-2020-0688, CVE-2020-2555, CVE-2020-10189, CVE-2019-3396, CVE-2019-18935, CVE-2019-111580, and CVE-2015-4852.
Vulnerabilities in mobile device management servers are also exploited to deliver malicious apps and change configurations on mobile devices, with CVE-2020-15505 commonly exploited to achieve this aim.
Since all of the above vulnerabilities are being actively exploited, it is essential for patches to be applied promptly to fix these flaws.
Further information on the vulnerabilities and TTPs of the Chinese hacking groups can be found in the NSA alert on this link.