Vulnerabilities Used by Chinese Threat Actors – Advisory Report
Share this:
A new joint advisory from US CISA, FBI, and NSA states Chinese state–sponsored threat actors continue to exploit known vulnerabilities to target US and allied networks and companies,
They use an increasing array of new and adaptive techniques some of which pose a significant risk to Information Technology Sector organizations, Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.
The  primary goals of the threat actors are to steal intellectual property and to develop access into sensitive networks, the three agencies found that they continue to use virtual private networks (VPNs) to obfuscate their activities and target web–facing applications to establish initial access.
They then use the vulnerabilities above to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks.
| Vendor | CVE | Vuln Type |
| Apache Log4j | CVE-2021-44228 | Remote Code Execution |
| Apache | CVE-2022-24112 | Authentication Bypass by spoofing |
| Apache HTTP Server | CVE-2021-41773 | Path Traversal |
| Atlassian | CVE-2022-26134 | Remote Code Execution |
| Atlassian Confluence Server and Data Center | CVE-2021-26084 | Remote Code Execution |
| Buffalo WSR | CVE-2021-20090 | Relative Path Traversal |
| Cisco Hyperflex | CVE-2021-1497 | Command Line Execution |
| Citrix ADC | CVE-2019-19781 | Path Traversal |
| F5 Big-IP | CVE-2020-5902 | Remote Code Execution |
| F5 Big-IP | CVE-2020-5902 | Remote Code Execution |
| F5 Big-IP | CVE-2022-1388 | Remote Code Execution |
| GitLab CE/EE | CVE-2021-22205 | Remote Code Execution |
| Hikvision Webserver | CVE-2021-36260 | Command Injection |
| Microsoft | CVE-2021-26857 | Remote Code Execution |
| Microsoft | CVE-2021-26858 | Remote Code Execution |
| Microsoft | CVE-2021-27065 | Remote Code Execution |
| Microsoft Exchange | CVE-2021-26855 | Remote Code Execution |
| Pulse Connect Secure | CVE-2019-11510 | Arbitrary File Read |
| Sitecore XP | CVE-2021-42237 | Remote Code Execution |
| VMware vCenter Server | CVE-2021-22005 | Arbitrary File Read |
| ZOHO | CVE-2021-40539 | Remote Code Execution |
Recommendations for mitigating the risks:
- Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this Cybersecurity Advisory (CSA) and other known exploited vulnerabilities
- Utilize phishing–resistant multi–factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised
- Block obsolete or unused protocols at the network edge
- Upgrade or replace end–of–life devices
- Move toward the Zero Trust security model
- Enable robust logging of internet–facing systems and monitor the logs for anomalous activity
