Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

CISA: Chinese Hackers Targeting US Agencies

Groups Exploiting Unpatched Vulnerabilities
CISA: Chinese Hackers Targeting US Agencies

The U.S. Cybersecurity and Infrastructure Security Agency warned Monday that hacking groups backed by the Chinese Ministry of State Security are exploiting several unpatched vulnerabilities to target federal agencies.

See Also: Enabling Government for Modernized IT

The Chinese groups are also taking advantage of publicly available information and open source exploitation tools to target U.S. federal computer networks, CISA says.

"CISA has observed these - and other threat actors with varying degrees of skill - routinely using open-source information to plan and execute cyber operations," the Monday alert notes.

The Urgency of Patching

Because Chinese hackers are exploiting several well-known software vulnerabilities, CISA stresses that applying patches is the best defense.

"If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network," CISA notes.

The tools the Chinese hackers are using, according to CISA, include the Shodan search engine, used to identify vulnerable connected devices, and the Common Vulnerabilities and Exposure, or CVE, and the National Vulnerabilities, or NVD, databases. CISA notes it also uses these tools to help identify federal government systems susceptible to exploitation.

"Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits,” CISA says. “These information sources, therefore, contain invaluable information that can lead cyber threat actors to implement highly effective attacks.”

The Chinese threat actors often begin targeting, scanning and probing within days of a vulnerability being made public, CISA says, taking advantage of many organizations lagging in their patching of systems.

Threat Vectors

Among the more significant vulnerabilities currently being exploited by the China's Ministry of State Security are:

  • CVE-2020-5902: This vulnerability in F5’s Big-IP traffic management user interface enables cyber threat actors to execute arbitrary system commands, create or delete files, disable services and/or execute Java code (see: CISA: Attackers Are Exploiting F5 BIG-IP Vulnerability).
  • CVE-2019-19781: This flaw in Citrix VPN appliances enables hackers to execute directory traversal attacks.
  • CVE-2019-11510: This flaw in Pulse Secure VPN servers can enable hackers to gain access to networks.
  • CVE-2020-0688: This flaw in Microsoft Exchange Server can be used for remote code execution.

The Chinese hacking groups also are using penetration testing tools and others that are found on public software repositories sites, such as GitHub and Exploit DB. These tools include Cobalt Strike, China Chopper Web Shell and Mimikatz.

"Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions," CISA notes in the alert.

In recent months, CISA also has issued a series of alerts about increased distributed denial-of-service incidents and other attacks on the U.S. critical infrastructure.


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.