The Cybersecurity and Infrastructure Security Agency (CISA) has published a security advisory today warning of a wave of attacks carried out by hacking groups affiliated with China’s Ministry of State Security (MSS).
CISA says that over the past year, Chinese hackers have scanned US government networks for the presence of popular networking devices and then used exploits for recently disclosed vulnerabilities to gain a foothold on sensitive networks.
The list of targeted devices includes F5 Big-IP load balancers, Citrix and Pulse Secure VPN appliances, and Microsoft Exchange email servers.
For each of these devices, major vulnerabilities have been publicly disclosed over the past 12 months, such as CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, and CVE-2020-0688, respectively.
According to a table summarizing Chinese activity targeting these devices published by CISA today, some attacks have been successful and enabled Chinese hackers to gain a foothold on federal networks.
Iranian hackers are also targeting these systems
These attacks aren’t new, per-se. ZDNet reported last year that Chinese state hackers had targeted Pulse Secure and Fortinet VPN servers less than a month after the vulnerabilities became public.
In addition, Chinese hackers aren’t the only ones targeting these particular networking appliances. The devices listed above have also been targeted by Iranian state actors, according to a report from the private cyber-security sector and a cyber-security alert published by the FBI last month.
One Iranian group has mass-compromised these types of devices and then provided access to fellow Iranian groups, allowing them to select the networks they wanted to compromise for intelligence gathering operations. The compromised devices that were not selected were later put up for sale on underground hacking forums, according to a Crowdstrike report.
Other forms of attacks also detected
The CISA alert warns the US private sector and government agencies to patch F5, Citrix, Pulse Secure, and Microsoft Exchange devices. However, the alert also warns that Chinese hackers are employing a wide spectrum of other intrusion methods.
These also include the use of spear-phishing emails — a classic attack employed by Chinese state actors — and the use of brute-force attacks leveraging weak or default credentials.
Once Chinese hackers are inside targeted networks, they also often deploy commercial and open-source tools to move laterally across networks and exfiltrate data. This includes the use of legitimate penetration-testing tools like Cobalt Strike and Mimikatz.
When attacks target public-facing web systems, such as VPNs, web and email servers, CISA said it often spotted Chinese state hackers deploying the China Chopper web shell, a common tool they’ve used for almost a decade.
CISA officials recommend that security teams in private companies and private sector and government agencies read its report, take notice of the common tactics, techniques, and procedures (TTPs) used by Chinese state actors, patch devices and deploy detection rules accordingly.