The U.S. National Security Agency this week released an advisory containing information on 25 vulnerabilities that are being actively exploited or targeted by Chinese state-sponsored threat actors.
Most of these security bugs, the NSA says, can be used for initial access to networks, through exploiting Internet-facing assets. Post compromise, the adversaries can target additional vulnerabilities for exploitation.
The list shared by the NSA this week contains a total of 25 vulnerabilities, including CVE-2019-11510 (Pulse Secure VPN), CVE-2020-5902 (F5 BIG-IP), CVE-2019-0708 (BlueKeep), CVE-2020-1350 (SIGRed), CVE-2020-1472 (Zerologon), CVE-2020-0601 (CurveBall), CVE-2018-6789 (Exim mail server), CVE-2015-4852 (Oracle WebLogic), and CVE-2019-19781, CVE-2020-8193, CVE-2020-8195, and CVE-2020-8196 (Citrix ADC and Gateway).
The list also mentions CVE-2020-15505 (MobileIron MDM), CVE-2019-1040 (Windows), CVE-2020-0688 (Microsoft Exchange), CVE-2018-4939 (Adobe ColdFusion), CVE-2020-2555 (Oracle Coherence), CVE-2019-3396 (Atlassian Confluence), CVE-2019-11580 (Atlassian Crowd), CVE-2020-10189 (Zoho ManageEngine Desktop Central), CVE-2019-18935 (Progress Telerik UI for ASP.NET AJAX), CVE-2019-0803 (Windows), CVE-2017-6327 (Symantec Messaging Gateway), CVE-2020-3118 (Cisco IOS XR Software), and CVE-2020-8515 (DrayTek Vigor devices).
The NSA notes that it has observed Chinese threat actors scanning for or attempting to exploit these vulnerabilities against multiple victims. However, the agency also points out that the same adversaries might be targeting other vulnerabilities as well.
While the vulnerabilities mentioned by the NSA have been detailed publicly, not all of them were previously known as being targeted by hackers. This includes a Cisco Discovery Protocol flaw disclosed earlier this year.
For each of these bugs, the NSA also mentioned previously published guidance, some focused on different actors.
The agency notes that National Security Systems (NSS), U.S. Defense Industrial Base (DIB), and Department of Defense (DoD) systems are constantly being targeted by Chinese hackers, and encourages owners to ensure their systems are protected from exploitation.
The NSA underlines the threat that government-backed hackers from China pose to NSS, DIB, and DoD information networks in their attempts to compromise computer networks of interest to gather intellectual property and economic, military, and political information. Thus, patching of known vulnerabilities is highly important to keep systems protected.
“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts. We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cyber-security professionals will gain actionable information to prioritize efforts and secure their systems,” NSA Cybersecurity Director Anne Neuberger said.
Satnam Narang, staff research engineer at Tenable, said in an emailed comment, “If you’re experiencing déjà vu from the National Security Agency (NSA) advisory listing the top 25 vulnerabilities being leveraged by foreign threat actors, your feeling is warranted. Many of the vulnerabilities in the advisory align with similar alerts that have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. It’s unmistakably clear that unpatched vulnerabilities remain a valuable tool for cybercriminals and state-sponsored threat actors. With many of the vulnerabilities listed in the advisory residing in remote access tools or external web services, it is extremely critical for organizations to prioritize patching these vulnerabilities.”
“The breadth of products covered by this list of CVEs would indicate that the NSA has curated this list through the observation of many attacks undertaken by these actors,” Oliver Tavakoli, chief technology officer at Vectra, commented. “The exploits themselves also cover a broad range of steps in the cyberattack lifecycle indicating that many of the attacks in which these exploits were observed were already pretty deep into the attack progression – and many were likely found only after-the-fact through deep forensic efforts rather than having been identified while the attacks were active.”