Threat actors from the People’s Republic of China are exploiting known vulnerabilities to build a broad network infrastructure of compromised machines worldwide. Learn more about how to protect yourself from this threat.
a joint Cybersecurity Advice of the National Security Agency, the Cybersecurity and Infrastructure Security Agency and the FBI warn against threat actors who exploit known vulnerabilities to target public and private sector organizations worldwide, including in the United States. This report builds on previous NSA, CISA and FBI reporting on notable cybersecurity trends and persistent tactics, techniques and procedures.
Exploitation of common vulnerabilities
Since 2020, Chinese state-sponsored threat actors have been conducting major attack campaigns exploiting publicly identified vulnerabilities. In these campaigns, the attackers gain valid account access by exploiting vulnerabilities in Virtual Private Network or other Internet-facing services without using their own distinctive or identifying malware, making it more difficult for threat intelligence analysts to evaluate the threat. These types of devices are often overlooked by security personnel.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Unpatched network tools such as Small Office/Home Office routers and Network Attached Storage devices are used by these attackers to successfully compromise other entities. Using such compromised routers and devices allows the attackers to add a layer of anonymity to their activities by acting as proxies to route traffic from their C2 servers and act as a focal point.
The agencies released a table of the top CVEs of network devices most frequently exploited by Chinese state-sponsored threat actors since 2020 (Image A†
One of those most commonly exploited vulnerabilities dates back to 2017, while most of the others date back to 2018 and 2019. Those exploits show once again that routers and NAS devices aren’t the most recent devices in corporate networks, and some may not be at all. patched.
Attackers are constantly adjusting and controlling the defense
As highlighted by the US agencies, these cyber threat actors are consistently evolving and adapting their tactics to evade the defenses being set up in front of them. State-backed attackers have witnessed the monitoring of the defender’s accounts and actions before adjusting their ongoing campaigns if necessary to go undetected.
After disclosing information related to their own campaigns, these attackers immediately adapted their infrastructure and toolsets: Registration of new domains, use of new servers and changes to malware are typical measures they take to keep their campaigns running and successful.
Finally, these actors also mix their custom toolsets with publicly available ones. Leveraging native tools from the network environment is a technique they often use to obscure their activity and disappear into the noise of a network.
Targeted telecom and network service providers
The threat actors mainly use open source tools to perform their reconnaissance and vulnerability scanning activities. Open-source router-specific software frameworks such as RouterSploit and RouterScan have been used to more accurately identify routers and their vulnerabilities before attacking them. Public tools such as PuTTY are also used to establish SSH connections.
Once the attackers gain a foothold in a telecommunications organization or network service provider, critical systems and users are identified. After identifying a critical RADIUS server, the threat actors obtain credentials to access the underlying SQL database to dump plaintext credentials and hashed passwords for user and administrator accounts.
Additional scripting using the RADIUS credentials is then implemented to authenticate to a router over an SSH connection, run the router command, and save the output. The configuration of every intended Cisco and Juniper router was saved in this way.
A huge number of router configurations from medium to large companies have been collected and can then be customized to route and handle all traffic from the networks to the infrastructure of the threat actors.
How can you protect yourself from this threat?
All operating systems and software should always be updated and patched as soon as possible after patches are released. Centralized patch management systems can help automate and deploy those patches.
Network segmentation should be used to block possible lateral movement for attackers. Unused or unnecessary network devices, services, ports, and protocols should be completely disabled.
Multi-factor authentication should be required for VPN access and password complexity should be increased.
Incident response capabilities should be detailed in the incident response and recovery process documents, and incident response teams should receive regular training to respond to such threats.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.