The United States National Security Agency identified 25 vulnerabilities in software that are most commonly targeted by state-sponsored attackers from China. Setting aside the question of whether or not the enterprise is more likely to be targeted by nation-state attackers or cyber-criminals, the list provides enterprise IT staff with a good starting place on which vulnerabilities to prioritize.
The vulnerabilities on NSA’s list can be used to gain initial access to enterprise networks by targeting systems directly accessible from the Internet. Seven of the flaws are in remote access gateways, three are found in networking equipment, and three impact public-facing servers. Once in the network, the attacker can use other vulnerabilities to find other systems to compromise and carry out their activities. Seven flaws on the list involve internal servers, two affect Microsoft Entra ID, and one exists in mobile device management.
“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” NSA Cybersecurity Director Anne Neuberger said in a statement. “We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems."
The NSA list doesn't show that the nation-state adversaries are relying on exotic or complex attacks. In fact, many of the vulnerabilities have already been incorporated into exploit toolkits and ransomware attacks. For example, Rapid7 identified exploitation activity targeting the issue in Citrix Application Delivery Controller and Gateway (CVE-2019-19781) in Project Heisenberg back in January. There are reports the remote code execution flaw in the configuration utility of F5's BIG-IP 8 proxy/load balancer devices have been used by cryptocurrency miners and botnets (a Mirai variant called DvrHelper).
The interesting thing to note about these flaws are that they affect applications widely used in enterprise networks, including EXIM, Adobe ColdFusion, and networking equipment from major vendors such as Citrix, Cisco, F5, and Pulse Secure. Several components in Microsoft Windows, including Remote Desktop Services (CVE-2019-0708) and Netlogon Remote Protocol (CVE-2020-1472) were also on the list. The vulnerabilities range in severity on the Common Vulnerability Scoring Scale, from 4.8 to 10, but many of them are issues that have been flagged as low complexity, meaning they can be easily exploited.
The list includes the flaw in Pulse Secure VPNs (CVE-2019-11510) which the Cybersecurity and Infrastructure Security Agency has warned about in the past. Rapid7’s AttackerKB database describes this vulnerability as one that is commonly found in enterprises.
“Causes massive damage” the AttackerKB entry said. “If not patched, likely wrecked.”
Attackers frequently stick with older vulnerabilities since many of them can go years without being fixed. The list included a remote code execution flaw in Symantec Messaging Gateway (CVE-2017-6327, CVSS 8.8) from 2017 and a vulnerability affecting the WLS Security components in some versions of Oracle WebLogic Server (CVE-2015-4852) from 2015. At the time the flaw was fixed, Oracle said the complexity was low but could be used to partially compromise the database and the data stored inside. ExploitDB has two entries for ways to exploit the flaw, rated 7.5 on CVSS (2.0).
Remote code execution flaws tend to be the most worrying because that means attackers can target those exploits from outside the network. There were 11 remote code execution flaws on the list, but that doesn't mean the other flaws aren't damanging. The Citrix ADC flaw allows directory traversal, which can lead to remote code execution without credentials. Privilege escalation flaws (there were two) can be used once the attackers are in the network to gain access to systems and data they shouldn't be allowed to reach.
Attackers—even well-funded state-sponsored ones with a lot of time and money at their disposal—don’t pay for expensive zero-day vulnerabilities or complicated exploits when there are plenty of systems with known vulnerabilities that have not yet been patched. Enterprises should patch or mitigate the publicly known vulnerabilities before they worry about zero-day defenses.