CISA Breaks Down Recent Chinese Nation State Cyber Activity
A new advisory from CISA outlines recent tactics, techniques, and procedures (TTPs) used by Chinese nation state hackers to target US agencies; it also includes ATT&CK Framework TTPs.
The U.S. government continues to beat the drum around well-known vulnerabilities in products by F5, Citrix, and Pulse Secure, to name a few.
Today, CISA - the Department of Homeland Security's Cybersecurity Infrastructure Security Agency - warned that Chinese state hackers are using open source information and common exploits, like the aforementioned ones, to some success to target U.S. Government agencies.
CISA stressed that attackers with the Chinese Ministry of State Security (MSS) have been seen targeting the F5 Big-IP vulnerability - CVE-2020-5902, the Citrix VPN Appliance vulnerability - CVE-2019-19781, the Pulse Secure VPN vulnerability - CVE-2019-11510, along with a Microsoft Exchange Server vulnerability - CVE-2020-0688 - disclosed earlier this year.
The agency says its seen Chinese MSS-affiliated actors use spearphishing emails to embedded links to either attacker-owned infrastructure or compromised or poisoned sites. The agency says its seen Chinese MSS-affiliated actors use spearphishing emails to embedded links to either attacker-owned infrastructure or compromised or poisoned sites. The attackers are also using techniques like brute force credential stuffing, networking service scanning, and email collection techniques to further their efforts.
One part of the advisory that threat hunters may especially find interesting is a list of Tactics, Techniques, and Procedures (TTPs), along with MITRE ATT&CK identifiers used by the nation state hackers.
In CISA's guidance, which was authored with help from the FBI, the agencies stress that these hackers will continue to leverage these vulnerabilities if not patched, something that could go on to impact networks across the federal sphere, and possibly result in "loss of critical data or personally identifiable information."
While the techniques the MSS-affiliated hackers are using may not be surprising to some, the information could help some entities in the federal government ferret out future attacks. According to CISA's analysts, attackers are focusing on recent vulnerability disclosures with open source exploits, using network proxy service IP addresses, and VPNs.
“Cyber threat actors can continue to successfully launch these types of low-complexity attacks—as long as misconfigurations in operational environments and immature patch management programs remain in place—by taking advantage of common vulnerabilities and using readily available exploits and information,” the agency added.
With that in mind, again, this isn’t the first time that CISA or any government entity for that matter has urged organizations to patch these bugs.
The FBI warned last month that hackers affiliated with the Iranian government were also targeting F5 BIG-IP application delivery controller devices, in addition to the same Pulse Secure and Citrix VPN devices and appliances.
Despite the first warning coming in 2019, CISA doubled down on the Pulse Secure VPN vulnerability in January, encouraging organizations to patch their servers if they hadn’t. CISA, along with the FBI, reiterated those dangers in April and again in May, stressing that the vulnerability, along with the Citrix VPN vulnerability, were shaping up to be some of the year's most exploited.
CISA no doubt used the TTPs to trace the activity of two Chinese hackers, indicted earlier this summer, who hacked into hundreds of systems over the last several years. Working for the Ministry of State Security's (MSS) Guangdong State Security Department (GSSD), the hackers notably plundered systems belonging to several companies developing COVID-19 vaccines this spring. While the DOJ, announcing the indictment in July, didn't say the two successfully stole any research or technology, they did test computer networks for vulnerabilities.
Organizations, if they haven't already, need to make patching these vulnerabilities a priority. Once patched, firms should audit their configuration and patch management programs to make sure they can follow emerging threats in the future.