Recently, the CISA and the FBI warns that China-sponsored Chinese Hackers are targeting Exchange, Citrix, F5 flaws, as the CISA has observed for a long time.
Chinese Hackers hackers are utilizing all publicly accessible data sources and common, well-known tactics, techniques, and procedures (TTP) to target all the U.S. Government agencies.
CISA says in one of their reports that many Chinese hackers have investigated U.S. government networks for the appearance of conventional networking devices over past years. Not only this, but they also used exploits for newly confessed vulnerabilities to obtain a space on high-strung networks.
CISA has observed in the last 12 months that Chinese MSS-affiliated hackers are using spearphishing emails with embedded links. And there are some cases in which hackers are compromising or poisoning the legitimate sites to allow all cyber works.
The Chinese Hackers are using the Initial Access [TA0001] methods, and according to the report that has been announced by the CISA is that the hackers can proceed to launch these types of low-complexity attacks powerfully.
- Chinese Hackers have used open-source data to organize and execute cyber operations.
- The Chinese MSS-affiliated hackers have also used easily available exploits and exploit toolkits to attack their target systems instantly.
- Keeping a meticulous patching cycle remains to be the best protection against the most commonly used attacks.
- In case of any critical vulnerabilities continue to be unpatched. The hackers can carry out the attacks without the necessity to elaborate custom malware and exploits or utilize previously unknown vulnerabilities to attack a network.
- Lastly, the Advisory recognizes some of the more common, but they are most effective—TTP operated by hackers, and it also includes Chinese MSS-affiliated hackers.
Vulnerabilities Targeted by Chinese MSS-affiliated Hackers
The vulnerabilities that CISA has been seen targeted by Chinese MSS-affiliated hackers are mentioned below:-
CVE-2020-5902: F5 Big-IP Vulnerability
This vulnerability enables a remote threat actor to get access to the Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC) outwardly authentication and then execute remote code execution.
CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances
This vulnerability is accessible in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP. And it enables remote unauthenticated hackers to perform commands remotely.
CVE-2019-11510: Pulse Secure VPN Servers
This vulnerability allows unauthenticated remote hackers to send specially crafted URIs to correlate to unprotected servers and learn all sensitive files, including user credentials.
CVE-2020-0688: Microsoft Exchange Server
This vulnerability is present in the Exchange Control Panel (ECP) segment, and it is produced by Exchange’s failure to generate unprecedented cryptographic keys after installation.
According to the CISA, the threat actors have used the most common exploit toolkit to attack the targetted networks, and here we have mentioned below:-
- China Chopper Web Shell
- Cobalt Strike
Apart from this, CISA is still trying to find out all the loopholes of this attack, and they also affirmed that there some possibilities that the hackers may have used the open-source resources and tools to target networks with a low-security condition.
CISA, along with the FBI, recommended that all the business infrastructure should audit their configuration and patch management plans on day to day basis. Doing this will ensure that they can track and mitigate developing threats. And performing a meticulous configuration and patch management program will hamper complicated hackers.
That’s why the CISA has also asserted that every private organization should have an explicit knowledge regarding the tactics, techniques, procedures (TTP) that has been used by the threat actors.