Several US government agencies have issued a joint cybersecurity advisory to provide information on the techniques and tactics that China-linked threat actors have been using to compromise telecom companies and network services providers.
The Chinese nation-state adversaries continue to rely on publicly available tools and known vulnerabilities to compromise networks and establish an infrastructure. They target entities around the world, both in public and private sectors, the US agencies say.
Chinese APTs readily exploit publicly known vulnerabilities to compromise network devices such as SOHO routers and NAS devices, reads the joint advisory authored by the NSA, CISA and the FBI.
Since 2020, threat actors sponsored by the People’s Republic of China (PRC) have been quick to exploit newly discovered security issues in network devices. They were also observed exploiting new flaws to target VPN services and public-facing applications to access victim accounts.
“PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers,” the joint advisory reads.
China-linked APTs use these servers to register new email accounts, host command and control (C&C) domains, and communicate with victim networks, employing the hop points as an obfuscation technique, to hide their real location.
The US agencies also note that these threat actors are constantly adapting their tactics to bypass defenses, including by monitoring the actions of network defenders and changing ongoing attacks to remain undetected. They were also observed modifying infrastructure and tools after their campaigns were publicly detailed.
“PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network,” NSA, CISA, and the FBI say.
Since 2020, the three US agencies have observed the Chinese threat actors mainly abusing vulnerabilities in devices from Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652), Citrix (CVE-2019-19781), DrayTek (CVE-2020-8515), D-Link (CVE-2019-16920), Fortinet (CVE-2018-13382), MikroTik (CVE-2018-14847), Netgear (CVE-2017-6862), Pulse (CVE-2019-11510 and CVE-2021-22893), QNAP (CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, and CVE-2019-7195), and Zyxel (CVE-2020-29583).
The threat actors also use open-source tools to scan for vulnerabilities and perform reconnaissance, including RouterSploit (exploitation framework for embedded devices) and RouterScan (a framework for vulnerability scanning), which allow them to identify makes, models, and known bugs that can be exploited.
“Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting,” the joint advisory reads.
The threat actors were observed obtaining the credentials necessary to access the underlying SQL database of a critical RADIUS server and then dumping the stored credentials, including cleartext and hashed passwords.
Using these credentials, the attackers then connected to Cisco and Juniper routers via SSH, executed commands, and then exfiltrated current router configuration.
“The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network,” the US agencies say.
The threat actors then “returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure,” the agencies say.
NSA, CISA, and the FBI advise organizations and federal agencies to ensure their systems are kept updated with the latest patches, implement network segmentation, disable unused ports and services, implement strict password policies and enforce multi-factor authentication, keep data backed up, enable robust logging, isolate internet-facing systems from the internal network, and to immediately disconnect compromised devices from the environment.