Attackers affiliated with the Chinese Ministry of State Security have been exploiting recently disclosed vulnerabilities in popular networking and VPN appliances during recent intrusion attempts against federal government agencies and enterprises, U.S. cybersecurity officials said.
The attacks are part of a long-running campaign by groups in China that U.S. officials say have been working directly for or at the direction of the MSS for more than 10 years. In an alert published Monday, the Cybersecurity and Infrastructure Security Agency (CISA) said that MSS-affiliated teams have been targeting the recent critical flaw in the F5 BIG-IP networking appliances, as well as publicly disclosed vulnerabilities in Citrix and Pulse Secure VPNs. Details of those vulnerabilities have been public for some time, and patches are available for all three, but attackers are targeting organizations that have not yet upgraded. Attacks against the F5 flaw (CVE-2020-5902) began almost immediately after the company disclosed it on June 30 and CISA said it has responded to several incidents in government agencies and enterprises involving successful exploits against the bug.
“CISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them,” the CISA alert says.
The MSS-affiliated attackers have also been targeting serious flaws in VPN products from Pulse Secure and Citrix. VPNs have always been attractive targets for attackers, but the large-scale shift to remote work this year has led to a huge increase in VPN usage, which leads to an increase in attention from attackers as VPN appliances can be ideal entry points into corporate networks for adversaries.
“CISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances—to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Microsoft Entra ID credentials were used months after the victim organization patched their VPN appliance,” the CISA advisory says.
State-sponsored attack groups are often associated with the use of advanced tools and techniques and exploits for zero days. While many groups do employ those tactics when necessary, attackers typically will take the path of least resistance, and CISA said that much of the activity it has seen from the Chinese state-sponsored groups in recent months has included the use of publicly available information, exploits, tools, and techniques. It’s not unusual for attackers to copy off others’ papers, and CISA said in its advisory that the MSS-affiliated groups have been making extensive use of tools such as Cobalt Strike and Mimikatz, and also utilize public vulnerability databases and other information sources commonly used by defenders. Databases of vulnerabilities maintained by MITRE and the National Institute of Standards and Technology are key sources of information for defenders but attackers rely on them to help creat attack plans, too.
“While using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations,” the CISA advisory says.
“Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.”
The activity that CISA describes in the new advisory is tied to groups that the U.S. government and law enforcement agencies have been tracking for some time. In July the Department of Justice disclosed that two Chinese citizens working with the MSS had been indicted by a federal grand jury for attacks against government and private organizations in the U.S.