A new advisory from CISA in the US outlines recent tactics, techniques, & procedures (TTPs) used by Chinese nation state hackers to target US agencies; it also includes ATT&CK Framework TTPs.
The US Govt. continues to publicise well-known vulnerabilities in products by F5, Citrix, & Pulse Secure, & others.
CISA – the US Department of Homeland Security’s Cybersecurity Infrastructure Security Agency – warned that Chinese state hackers are using open source information & common exploits, like the mentioned ones, to some success to target US Govt. agencies.
Chinese Ministry of State Security
CISA stressed that attackers with the Chinese Ministry of State Security (MSS) have been seen targeting the F5 Big-IP vulnerability – CVE-2020-5902, the Citrix VPN Appliance vulnerability – CVE-2019-19781, the Pulse Secure VPN vulnerability – CVE-2019-11510, along with a Microsoft Exchange Server vulnerability – CVE-2020-0688 – disclosed earlier this year.
The agency says its seen Chinese MSS-affiliated actors use spear phishing emails to embedded links to either attacker-owned infrastructure or compromised or poisoned sites. The agency says its seen Chinese MSS-affiliated actors use spear phishing emails to embedded links to either attacker-owned infrastructure or compromised or poisoned sites.
The attackers are also using techniques like brute force credential stuffing, networking service scanning, & email collection techniques to further their efforts.
One part of the advisory that threat hunters may find interesting is a list of Tactics, Techniques, & Procedures (TTPs), along with MITRE ATT&CK identifiers used by the nation state hackers.
In CISA’s guidance, which was authored with help from the FBI, the agencies stress that these hackers will continue to leverage these vulnerabilities if not patched, something that could go on to impact networks across the federal sphere, & possibly result in “loss of critical data or personally identifiable information.”
While the techniques the MSS-affiliated hackers are using may not be surprising, the information could help some entities in the US Federal Govt. discover future attacks.
Says CISA’s analysts, attackers are focusing on recent vulnerability disclosures with open source exploits, using network proxy service IP addresses, & VPNs.
“Cyber threat actors can continue to successfully launch these types of low-complexity attacks—as long as misconfigurations in operational environments, & immature patch management programs, remain in place by taking advantage of common vulnerabilities using readily available exploits & information,” the agency further added.
This is not the 1st time that CISA or any govt. entity for that matter has asked organisations to patch these bugs.
The FBI warned last month that hackers affiliated with the Iranian Govt. were also targeting F5 BIG-IP application delivery controller devices, in addition to the same Pulse Secure & Citrix VPN devices & appliances.
Despite the first warning in 2019, CISA doubled down on the Pulse Secure VPN vulnerability in Jan., encouraging organisations to patch their servers if they had not. CISA, along with the FBI, reiterated those dangers in April & again in May, stressing that the vulnerability, along with the Citrix VPN vulnerability, were shaping up to be some of the year’s worst.
CISA no doubt used the TTPs to trace the activity of 2 Chinese hackers, indicted earlier this Summer, who hacked into 100s of systems over the last several years.
Guangdong State Security
Working for the Ministry of State Security’s (MSS) Guangdong State Security Department (GSSD), the hackers notably plundered systems belonging to several companies developing COVID-19 vaccines this spring. While the DOJ, announcing the indictment in July, didn’t say the 2 successfully stole any research or technology, they did test computer networks for vulnerabilities.
Organisations, if they have not already, need to make patching these vulnerabilities a priority. When patched, firms should audit their configuration & patch management programs to make sure they can follow emerging threats in the future.