CISA published a security advisory warning of a wave of attacks carried out by China-linked APT groups affiliated with China’s Ministry of State Security.
Chinese state-sponsored hackers have probed US government networks looking for vulnerable networking devices that could be compromised with exploits for recently disclosed vulnerabilities.
“The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies.” reads the security advisory. “CISA has observed these—and other threat actors with varying degrees of skill—routinely using open-source information to plan and execute cyber operations.”
The list of vulnerabilities targeted by the Chinese hackers are:
CISA also warned that the threat actors are exploiting the Microsoft Exchange CVE-2020-0688 RCE vulnerability to access emails from the exchange servers found in Federal Government environments.
According to the advisory, some attacks have been successful and allowed the Chinese hackers to penetrate federal networks.
“According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years. continues the advisory. These hackers acted for both their own personal gain and the benefit of the Chinese MSS.”
Once gained a foothold in the target network, Chinese hackers make lateral movements using a variety of tools such as
CISA recommends that private companies and government agencies adopt necessary countermeasures and patch the devices in their infrastructure:
“CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems,” states the advisory.
Below the list of patches that could be installed to prevent Chinese hackers and other threat actors from exploiting them:
|CVE-2020-5902||F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902|
|CVE-2019-19781||Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5|
|CVE-2019-11510||Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX|
|CVE-2020-0688||Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability|
(SecurityAffairs – hacking, China)