CISA: Chinese Hackers Targeting US AgenciesGroups Exploiting Unpatched Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency warned Monday that hacking groups backed by the Chinese Ministry of State Security are exploiting several unpatched vulnerabilities to target federal agencies.
The Chinese groups are also taking advantage of publicly available information and open source exploitation tools to target U.S. federal computer networks, CISA says.
"CISA has observed these - and other threat actors with varying degrees of skill - routinely using open-source information to plan and execute cyber operations," the Monday alert notes.
The Urgency of Patching
Because Chinese hackers are exploiting several well-known software vulnerabilities, CISA stresses that applying patches is the best defense.
"If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network," CISA notes.
The tools the Chinese hackers are using, according to CISA, include the Shodan search engine, used to identify vulnerable connected devices, and the Common Vulnerabilities and Exposure, or CVE, and the National Vulnerabilities, or NVD, databases. CISA notes it also uses these tools to help identify federal government systems susceptible to exploitation.
"Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits,” CISA says. “These information sources, therefore, contain invaluable information that can lead cyber threat actors to implement highly effective attacks.”
The Chinese threat actors often begin targeting, scanning and probing within days of a vulnerability being made public, CISA says, taking advantage of many organizations lagging in their patching of systems.
Among the more significant vulnerabilities currently being exploited by the China's Ministry of State Security are:
- CVE-2020-5902: This vulnerability in F5’s Big-IP traffic management user interface enables cyber threat actors to execute arbitrary system commands, create or delete files, disable services and/or execute Java code (see: CISA: Attackers Are Exploiting F5 BIG-IP Vulnerability).
- CVE-2019-19781: This flaw in Citrix VPN appliances enables hackers to execute directory traversal attacks.
- CVE-2019-11510: This flaw in Pulse Secure VPN servers can enable hackers to gain access to networks.
- CVE-2020-0688: This flaw in Microsoft Exchange Server can be used for remote code execution.
The Chinese hacking groups also are using penetration testing tools and others that are found on public software repositories sites, such as GitHub and Exploit DB. These tools include Cobalt Strike, China Chopper Web Shell and Mimikatz.
"Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions," CISA notes in the alert.