Threat actors affiliated with the Chinese Ministry of State Security (MSS) continue to target U.S. government agencies, the Cybersecurity and Infrastructure Security Agency (CISA) says in a new alert.
Published with contribution from the FBI, the alert presents some of the tactics, techniques, and procedures (TTPs) that the Chinese state-sponsored hackers are employing in attacks on the U.S., such as the heavy use of publicly available tools to hinder attribution.
CISA’s alert arrives a couple of months after the U.S. indicted two Chinese hackers for the targeting of organizations in the defense, high-tech manufacturing, engineering, software (business, educational, and gaming), solar energy, and pharmaceuticals sectors for more than ten years.
According to CISA, threat actors affiliated with the Chinese MSS use open-source information in the planning stage of their operations, and engage target networks leveraging readily available exploits and toolkits.
Over the past 12 months, CISA says, the hackers were observed leveraging the Common Vulnerabilities and Exposure (CVE) database, the National Vulnerabilities Database (NVD), Shodan, and other information sources to identify vulnerable targets, understand specific security issues, and discover exploitable systems.
“While using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations,” CISA reveals.
The adversaries are continuously targeting, scanning, and probing for significant vulnerabilities and they often use the same security flaws to compromise multiple organizations in different industries, mainly due to the lack of quick mitigation of known issues.
Some of the most recent security bugs targeted by Chinese hackers are CVE-2020-5902 (vulnerability in F5 Big-IP), CVE-2019-19781 (bug in Citrix VPN appliances), CVE-2019-11510 (arbitrary file read issue in Pulse Secure VPN servers), and CVE-2020-0688 (remote code execution on Microsoft Exchange Server).
The threat actors, CISA also says, have the ability to “build and maintain relatively low-complexity capabilities” in support of attacks on federal government networks. They also employ commercial and open-source tools for these operations, including the Cobalt Strike implant, the China Chopper web shell, and the open-source credential harvesting tool Mimikatz.
CISA also notes that the adversaries continue to use low-complexity attack vectors, such as spear-phishing emails, misconfigurations, and the lack of a patch management program, to abuse common vulnerabilities.
The agency also reveals that it has observed beaconing activity on government networks compromised by Chinese actors, brute-force attacks leveraging credentials available on the Internet, suspicious network scanning activity for ports on target networks, and the targeting of CVE-2020-0688 “to collect emails from the exchange servers found in Federal Government environments.”
External proxy tools or hop points, such as commercial infrastructure as a service (IaaS) or software as a service (SaaS) products – such as the Tor browser – are also employed by the Chinese hackers. In one instance, CISA observed a network proxy tool targeting 221 unique government agency IP addresses.
“CISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information,” CISA notes.
Thus, entities at risk are advised to apply patches for known vulnerabilities as soon as possible, as well as to routinely conduct security audits of their configurations and patch management process, to make sure they are not exposed and that threats can be easily mitigated.