February 4, 2023

A new joint advisory from US CISA, FBI, and NSA states Chinese state–sponsored threat actors continue to exploit known vulnerabilities to target US and allied networks and companies,

They use an increasing array of new and adaptive techniques some of which pose a significant risk to Information Technology Sector organizations, Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.

The  primary goals of the threat actors are to steal intellectual property and to develop access into sensitive networks, the three agencies found that they continue to use virtual private networks (VPNs) to obfuscate their activities and target web–facing applications to establish initial access.

Advertisements

They then use the vulnerabilities above to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks.

VendorCVEVuln Type
Apache Log4jCVE-2021-44228Remote Code Execution
ApacheCVE-2022-24112 Authentication Bypass by spoofing
Apache HTTP ServerCVE-2021-41773Path Traversal
Atlassian CVE-2022-26134Remote Code Execution
Atlassian Confluence Server and Data CenterCVE-2021-26084Remote Code Execution
Buffalo WSRCVE-2021-20090Relative Path Traversal
Cisco HyperflexCVE-2021-1497Command Line Execution
Citrix ADCCVE-2019-19781Path Traversal
F5 Big-IP CVE-2020-5902Remote Code Execution
F5 Big-IPCVE-2020-5902Remote Code Execution
F5 Big-IPCVE-2022-1388Remote Code Execution
GitLab CE/EECVE-2021-22205Remote Code Execution
Hikvision WebserverCVE-2021-36260Command Injection
MicrosoftCVE-2021-26857Remote Code Execution
MicrosoftCVE-2021-26858Remote Code Execution
MicrosoftCVE-2021-27065Remote Code Execution
Microsoft Exchange CVE-2021-26855Remote Code Execution
Pulse Connect SecureCVE-2019-11510Arbitrary File Read
Sitecore XP CVE-2021-42237Remote Code Execution
VMware vCenter Server CVE-2021-22005Arbitrary File Read
ZOHOCVE-2021-40539Remote Code Execution
Advertisements

Recommendations for mitigating the risks:

  • Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this Cybersecurity Advisory (CSA) and other known exploited vulnerabilities
  • Utilize phishing–resistant multi–factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised
  • Block obsolete or unused protocols at the network edge
  • Upgrade or replace end–of–life devices
  • Move toward the Zero Trust security model
  • Enable robust logging of internet–facing systems and monitor the logs for anomalous activity

Leave a Reply

%d bloggers like this: