A joint Cybersecurity Advisory from the National Security Agency, the Cybersecurity and Infrastructure Security Agency and the FBI warns about threat actors exploiting known vulnerabilities to target public and private sector organizations worldwide, including in the United States. This report is built on previous NSA, CISA and FBI reporting about notable cybersecurity trends and persistent tactics, techniques and procedures.
Exploitation of common vulnerabilities
Since 2020, Chinese state-sponsored threat actors have operated large attack campaigns exploiting publicly identified security vulnerabilities. In these campaigns, the attackers receive valid account access by exploiting Virtual Private Network vulnerabilities or other Internet-facing services without using their own distinctive or identifying malware, making it harder for threat intelligence analysts to evaluate the threat. These kinds of devices are often overlooked by the security staff.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Unpatched network tools such as small office/home office routers and network attached storage devices are being used by these attackers to successfully conduct intrusions on other entities. The use of such compromised routers and devices allows the attackers to add a layer of anonymity to their activities by working as proxies to route traffic from their C2 servers and act as midpoints.
The agencies have released a table containing the top network devices CVEs most frequently exploited by Chinese state-sponsored threat actors since 2020 (Figure A).
Figure A
One of those most exploited vulnerabilities is as old as 2017, while most others date back to 2018 and 2019. Those exploits show that once again, routers and NAS devices are not the most updated devices in companies’ networks, and some of them may not be patched at all.
Attackers constantly adapting and monitoring defense
As highlighted by the U.S. agencies, these cyber threat actors consistently evolve and adapt their tactics to bypass the defenses put in front of them. State-sponsored attackers have been witnessed monitoring defender’s accounts and actions before modifying their ongoing campaigns as needed to remain undetected.
Following the release of information related to their own campaigns, these attackers have immediately modified their infrastructure and toolsets: Registration of new domains, use of new servers and changes in malware are typical measures they take to keep their campaigns running and successful.
Finally, these actors also mix their customized tool sets with publicly available ones. Leveraging native tools from the network environment is a technique they use often to obscure their activity and disappear in the noise of a network.
Telecommunications and network services providers targeted
The threat actors primarily use open-source tools to conduct their reconnaissance and vulnerability scanning activities. Open-source router specific software frameworks such as RouterSploit and RouterScan have been used to identify routers and their associated vulnerabilities more precisely before attacking it. Public tools such as PuTTY are also used to establish SSH connections.
Once the attackers gain an initial foothold into a telecommunications organization or network service provider, critical systems and users are identified. After identifying a critical RADIUS server, the threat actors obtain credentials to access the underlying SQL database to dump cleartext credentials and hashed passwords for user and administrative accounts.
Additional scripting using the RADIUS credentials has then been deployed to authenticate to a router via an SSH connection, execute router command and save the output. The configuration of each targeted Cisco and Juniper routers were saved in this way.
A massive number of router configurations belonging to medium-to-large companies have been collected and could then be modified to successfully route and handle all the traffic out of the networks to the threat actors’ infrastructure.
How to protect yourself from this threat
All operating systems and software should always be updated and patched as soon as possible after patches are released. Centralized patch management systems can help to automate and deploy those patches.
Network segmentation should be used, in order to block possible lateral movements for attackers. Unused or unnecessary network devices, services, ports and protocols should be disabled completely.
Multi-factor authentication should be required for VPN access, and password complexity should be raised.
Incident response capabilities should be detailed in incident response and recovery procedure documents, and incident response teams should be trained regularly to answer such threats.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.