tostphoto - stock.adobe.com

NSA Warns Chinese Nation-State Actors Exploiting Vulnerabilities

DHS CISA is encouraging organizations to prioritize patching of 25 common vulnerabilities, as an NSA alert shows Chinese nation-state actors are actively exploiting those flaws.

Chinese nation-state actors are actively scanning for and exploiting 25 common vulnerabilities and exposures (CVEs), which enabled multiple successful hacks on a range of victims, according to an alert from the National Security Agency and highlighted by the Department of Homeland Security

Calling it one of the greatest threats to US security, Chinese backed hackers are leveraging a range of tactics and techniques to exploit networks that store or managed sensitive intellectual property, as well as economic, political, and military information. 

The alert joins three other warnings from the FBI, DHS, and the Department of Justice regarding the threat of hackers with ties to China. In May, the agencies warned of an active campaign against research facilities working on the COVID-19 response and that some had already been compromised

By August, federal agencies had identified a new malware variant called Taidoor, tied to the Chinese government, which targets US organizations to maintain a persistent presence on victim networks and for other malicious activities. 

Meanwhile, DOJ indicted two Chinese-backed hackers over a 10-year campaign that targeted and hacked hundreds of US organizations to steal valuable data, including COVID-19 research information. 

The latest Chinese-backed campaign is solely focused on exploiting publicly known vulnerabilities. The hackers first identify a target, gather information on the enterprise, identify further flaws associated with the victim, develop or reuse an exploit on the identified vulnerabilities, and launch the exploitation operation. 

NSA provided a list of the 25 most commonly exploited vulnerabilities. DHS and the FBI previously reported the 10-most exploited vulnerabilities of the last four years, which can also provide further details on these flaws. 

The list included previously reported and patched vulnerabilities found in Pulse Secure Virtual Private Networks (VPNs) that can allow for an unauthenticated remote attack, Citrix Application Delivery Controller (ADC) and Gateway that enables directory traversal and can lead to remote code execution attacks, and a remote code execution flaw in Remote Desktop Services. 

These three critical vulnerabilities have previously been addressed on multiple occasions, as many continue to be actively targeted and exploited by hacking groups. Despite these warnings, some organizations have failed to apply the provided software updates. 

Chinese hackers are also targeting a known flaw in MobileIron’s mobile device management software, which the FBI and DHS recently warned was being used in cyberattacks that chained vulnerabilities together for a greater impact. 

NetLogon vulnerabilities, the Exim Mail transfer agent, and a critical flaw in certain Cisco Discovery Protocol implementations, found in millions of devices, are also being targeted by these nation-state actors. Other hacking groups have previously found success in exploiting these flaws. 

An exploit of these vulnerabilities would give attackers initial access through products directly accessible from the internet and act as internal network gateways. 

“The majority of the products are either for remote access or for external web services and should be prioritized for immediate patching,” NSA warned.  

While some patching alerts for these flaws provided additional mitigations, NSA explained that organizations can avoid falling victim to these attacks by keeping systems and products updated and patched as soon as the administrator is able to do so once a patch is released.

Further, it’s imperative these organizations understand and expect that any stolen or modified credentials, accounts, or software taken prior to patching a device will not be protected by a software update. Rather, password changes and account reviews should become a crucial part of any security program.

Administrators should also disable external management capabilities on impacted devices and set up an out-of-band management network, while blocking unused or obsolete protocols at the network edge and disabling it in device configurations. 

Internet-facing endpoints and services must be isolated in a network demilitarized zone (DMZ) to reduce the threat of exposure. Administrators must also enable robust logging of all internet-facing services, while monitoring those logs for any signs of compromise. 

“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts,” NSA warned. “The same process for planning the exploitation of a computer network by any sophisticated cyber actor is used by Chinese state-sponsored hackers.” 

“NSA recommends that critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact US policies, strategies, plans, and competitive advantage,” they added. "Due to the various systems and networks that could be impacted by the information in this product outside of these sectors, NSA recommends that the CVEs above be prioritized for action by all network defenders.” 

DHS Cybersecurity and Infrastructure Agency also urged immediate patching and recommended entities review a previous CISA alert on the potential for increased Chinese-backed hacking attempts amid US-China tensions. 

The advisory urged organizations to adopt a heightened state of awareness and organizations vigilance, along with a review of reporting processes and incident response plans to confirm effectiveness and ensure workforce members understand the severity of the current threat landscape. 

Given healthcare’s serious challenges with patching and the rise in ransomware, providers must adhere to these warnings. Nation-state actors have been problematic for the healthcare sector for many years, with the DOJ indicting several hacking groups with ties to foreign governments. 

Most recently, six Russian-backed hackers were indicted for a range of destructive attacks, including the global NotPetya incident in 2017. The Chinese-backed hackers behind the massive 2015 Anthem breach were indicted in May 2019, while the Iranian threat actors behind SamSam – which pummeled the healthcare sector – were indicted in November 2018.

Next Steps

Dig Deeper on Cybersecurity strategies