CISA Gives Warning of Persistent Attacks by Chinese Hacking Groups Directed at F5, Citrix, Pulse Secure, and MS Exchange Vulnerabilities

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has given a security alert that hackers connected with China’s Ministry of State Security (MSS) are carrying out targeted cyberattacks on U.S. government bureaus and private sector firms.

The attacks are continuing for more than a year and generally target vulnerabilities in common networking tools like Pulse And Citrix Secure VPN appliances, Microsoft Exchange email servers, and F5 Big-IP load balancers. The hacking groups employ publicly available data and open source exploit applications in the attacks for instance Mimikatz, Cobalt Strike, And China Chopper. The hacking groups that have various levels of competency, make an effort to obtain access to national computer systems and sensitive business data and numerous attacks have become successful.

The hackers exploited software vulnerabilities that are common and patches were released to resolve the vulnerabilities, however, there are a lot of possible targets that have not applied the patches and are prone to attack.

A number of the frequently exploited vulnerabilities consist of:

  • Vulnerability CVE-2020-5902 in the F5 Big-IP Traffic Management Interface that attackers can exploit permitting them to execute arbitrary system commands, implement java code, create/delete files, and disable services.
  • Vulnerability CVE-2019-11510 in Pulse Secure VPN appliances may be exploited to obtain control of internal networks.
  • Vulnerability CVE-2019-19781 in Citrix VPN appliances could be exploited by threat actors to gain directory traversal.
  • Vulnerability CVE-2020-0688 in MS Exchange could be exploited to obtain access to Exchange servers and perform arbitrary code implementation.

There is no action that may be done to prevent these threats, nevertheless, a number of the successful attacks have got exploited recognized vulnerabilities. Scans are usually carried out after hours or days of publicly reporting a vulnerability. Considering that numerous public and private sector institutions tend not to implement patches immediately, it gives hackers the option to get access to networks. Implementing patches quickly is for that reason one of the preferred types of defense.

Whenever critical vulnerabilities continue to be unpatched, cyber threat actors can easily perform attacks without the need to produce tailor-made malware and exploits or make use of formerly unheard of vulnerabilities to strike a network.

Scans are being performed employing tools for example the Shodan search engine to recognize prospective targets that might be vulnerable to attacks. The hackers likewise make use of the National Vulnerabilities (NVD) and the Common Vulnerabilities and Exposure (CVE) databases to acquire specific details concerning vulnerabilities that could be exploited.

CISA explained that all these data sources offer users knowledge of a distinct vulnerability, and also a checklist of systems that could be vulnerable to attempted exploits. These data sources for that reason include very helpful data that may allow cyber threat actors to employ highly productive attacks.

These attackers frequently use other techniques including spear-phishing and brute force attempts to recognize weak passwords. It is hence crucial to implement using strong passwords, providing phishing awareness training to the personnel, and employ software applications that could identify/stop phishing attacks.