NSA: Chinese Hackers Exploiting 25 VulnerabilitiesAgency Warns Hacking Groups Are Exploiting Flaws to Conduct Cyberespionage
The U.S. National Security Agency is warning that Chinese-linked hacking groups are exploiting 25 vulnerabilities in software systems and network devices as part of cyberespionage campaigns – which means patching is urgent.
See Also: Preempting the Attacker's Next Move
In an alert issued Tuesday, the NSA notes many of the vulnerabilities are found in remote access or web service tools that are easily accessible from the internet. Chinese hackers are leveraging these vulnerabilities to steal sensitive intellectual property as well as economic, political and military data, the NSA says.
NSA analysts say China-backed hackers are targeting the U.S. Defense Department as well as America's national security systems and the private defense industry, using vulnerabilities as launching pads into networks, according to the alert.
Urgency of Patching
The agency urges all organizations to immediately patch the flaws and initiate other mitigation efforts.
"We hear loud and clear that it can be hard to prioritize patching and mitigation efforts," NSA Cybersecurity Director Anne Neuberger says in the alert. "We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems."
In September, the U.S. Cybersecurity and Infrastructure Security Agency also warned that hacking groups backed by the Chinese Ministry of State Security were exploiting several unpatched vulnerabilities to target federal agencies (see: CISA: Chinese Hackers Targeting US Agencies).
The NSA alert notes that the most significant vulnerabilities currently being exploited by Chinese advanced persistent threat groups are:
- CVE-2020-5902: This vulnerability in F5's Big-IP traffic management user interface could allow hackers to execute arbitrary system commands, create or delete files, disable services or execute Java code (see: CISA: Attackers Are Exploiting F5 BIG-IP Vulnerability).
- CVE-2019-19781: This flaw in Citrix VPN appliances could allow hackers to execute directory traversal attacks.
- CVE-2019-11510: This flaw in Pulse Secure's VPN servers could allow hackers to gain access to networks.
- CVE-2019-0708: This is the BlueKeep vulnerability that is found in Microsoft Windows' Remote Desktop Protocol, which could allow an unauthenticated attacker to send specially crafted requests.
- CVE-2020-15505: This a remote code execution vulnerability in MobileIron's Core and Connector administrative portals that could allow attackers to execute arbitrary code through unspecified vectors.
The NSA alert notes that Chinese-sponsored hackers are using many of the same network exploitation processes that other threat actors are using.
"They often first identify a target, gather technical information on the target, identify any vulnerabilities associated with the target, develop or re-use an exploit for those vulnerabilities and then launch their exploitation operation," the NSA alert notes.
The large list of vulnerabilities that these Chinese hacking groups are exploiting indicates that the NSA has been tracking these developments for some time, says Oliver Tavakoli, the CTO of security firm Vectra.
"The breadth of products covered by this list of CVEs would indicate that the NSA has curated this list through the observation of many attacks undertaken by these actors," Tavakoli tells Information Security Media Group. "The exploits themselves also cover a broad range of steps in the cyberattack lifecycle, indicating that many of the attacks in which these exploits were observed were already pretty deep into the attack progression - and many were likely found only after the fact through deep forensic efforts rather than having been identified while the attacks were active."
Satnam Narang, a staff research engineer with security firm Tenable, notes that the use of these commonly known CVE flaws demonstrates that state-sponsored groups as well as cybercriminals are no longer primarily relying on zero-day exploits to target potential victims.
"Threat actors do not need to finance the development of or acquire zero-day vulnerabilities so long as there are a plethora of publicly accessible systems running unpatched software," Narang says. "This is further compounded by the availability of proof-of-concept code and exploit scripts that threat actors can easily co-opt as part of their own attacks."
In addition to patching these vulnerabilities, the NSA alert recommends additional risk mitigation steps that organizations can take, including:
- Continually changing passwords and reviewing accounts;
- Disabling external management capabilities and setting up out-of-band management network capabilities;
- Blocking obsolete or unused protocols at the network edge and disabling them in device configurations;
- Isolating internet-facing services in a network "demilitarized zone" to reduce the exposure of the internal network;
- Enabling robust logging of internet-facing services and monitoring the logs for signs of compromise.