Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

US Details Chinese Attacks Against Telecoms Providers

Several US government agencies have issued a joint cybersecurity advisory to provide information on the techniques and tactics that China-linked threat actors have been using to compromise telecom companies and network services providers.

Several US government agencies have issued a joint cybersecurity advisory to provide information on the techniques and tactics that China-linked threat actors have been using to compromise telecom companies and network services providers.

The Chinese nation-state adversaries continue to rely on publicly available tools and known vulnerabilities to compromise networks and establish an infrastructure. They target entities around the world, both in public and private sectors, the US agencies say.

Chinese APTs readily exploit publicly known vulnerabilities to compromise network devices such as SOHO routers and NAS devices, reads the joint advisory authored by the NSA, CISA and the FBI.

Since 2020, threat actors sponsored by the People’s Republic of China (PRC) have been quick to exploit newly discovered security issues in network devices. They were also observed exploiting new flaws to target VPN services and public-facing applications to access victim accounts.

“PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers,” the joint advisory reads.

China-linked APTs use these servers to register new email accounts, host command and control (C&C) domains, and communicate with victim networks, employing the hop points as an obfuscation technique, to hide their real location.

The US agencies also note that these threat actors are constantly adapting their tactics to bypass defenses, including by monitoring the actions of network defenders and changing ongoing attacks to remain undetected. They were also observed modifying infrastructure and tools after their campaigns were publicly detailed.

“PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network,” NSA, CISA, and the FBI say.

Since 2020, the three US agencies have observed the Chinese threat actors mainly abusing vulnerabilities in devices from Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652), Citrix (CVE-2019-19781), DrayTek (CVE-2020-8515), D-Link (CVE-2019-16920), Fortinet (CVE-2018-13382), MikroTik (CVE-2018-14847), Netgear (CVE-2017-6862), Pulse (CVE-2019-11510 and CVE-2021-22893), QNAP (CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, and CVE-2019-7195), and Zyxel (CVE-2020-29583).

The threat actors also use open-source tools to scan for vulnerabilities and perform reconnaissance, including RouterSploit (exploitation framework for embedded devices) and RouterScan (a framework for vulnerability scanning), which allow them to identify makes, models, and known bugs that can be exploited.

“Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting,” the joint advisory reads.

The threat actors were observed obtaining the credentials necessary to access the underlying SQL database of a critical RADIUS server and then dumping the stored credentials, including cleartext and hashed passwords.

Using these credentials, the attackers then connected to Cisco and Juniper routers via SSH, executed commands, and then exfiltrated current router configuration.

“The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network,” the US agencies say.

The threat actors then “returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure,” the agencies say.

NSA, CISA, and the FBI advise organizations and federal agencies to ensure their systems are kept updated with the latest patches, implement network segmentation, disable unused ports and services, implement strict password policies and enforce multi-factor authentication, keep data backed up, enable robust logging, isolate internet-facing systems from the internal network, and to immediately disconnect compromised devices from the environment.

Related: Chinese Hackers Using Publicly Available Resources in Attacks on U.S. Government

Related: US Warns Organizations of ‘Karakurt’ Cyber Extortion Group

Related: US: Hackers Continue Aiding North Korea Generate Funds via Cryptocurrency Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack