CISA Gives Alert of Continuing Attacks by Chinese Hacking Groups Aimed Towards F5, Pulse Secure, Citrix, and MS Exchange Vulnerabilities

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has released a security warning that hackers associated with China’s Ministry of State Security (MSS) are performing cyberattacks on U.S. government institutions and private sector organizations.

The attacks are happening for over a year and usually target vulnerabilities in well-known networking systems like F5 Big-IP load balancers, Microsoft Exchange email servers, Citrix and Pulse Secure VPN appliances. The hacking groups utilize publicly accessible data and open-source exploit resources in the attacks for example Mimikatz, China Chopper, and Cobalt Strike. The hacking groups that have different levels of expertise, try to obtain access to government computer systems and sensitive company information and a number of attacks were successful.

The hackers took advantage of software vulnerabilities that are popular and patches were available to fix the vulnerabilities, however, there are a lot of possible targets that haven’t used the patches and are susceptible to attack.

A few of the commonly exploited vulnerabilities are:

Vulnerability CVE-2020-5902 in the F5 Big-IP Traffic Management Interface that attackers can exploit allowing them to implement arbitrary system commands, implement java code, disable services, and create/delete files.

Vulnerability CVE-2019-19781 in Citrix VPN appliances may be exploited by threat actors to accomplish directory traversal.

Vulnerability CVE-2019-11510 in Pulse Secure VPN appliances could be exploited to get access to internal systems.

Vulnerability CVE-2020-0688 in MS Exchange may be exploited to acquire access to Exchange servers and perform arbitrary code execution.

There is not one action that could be undertaken to prohibit these threats, nevertheless, a lot of the successful attacks had exploited identified vulnerabilities. Scans are frequently carried out after hours or days of publicizing a vulnerability. Given that numerous public and private sector companies never use patches immediately, it provides hackers the chance to get access to networks. Using patches quickly is consequently one of the most effective methods of defense.

When critical vulnerabilities stay unpatched, cyber threat actors could execute attacks with no the need to create custom made malware and exploits or utilize earlier unidentified vulnerabilities to hit a network.

Scans are being performed utilizing tools for example the Shodan search engine to determine prospective targets that are prone to attacks. The attackers additionally take advantage of the Common Vulnerabilities and Exposure (CVE) and the National Vulnerabilities (NVD) databases to get precise data regarding vulnerabilities that may be exploited.

CISA mentioned that all of these data sources give users information about a particular vulnerability and a listing of systems that might be vulnerable to attempted attacks. These data sources as a result consist of priceless info that could permit cyber threat actors to carry out highly successful attacks.

These attackers often use other tactics such as spear phishing and brute force attempts to figure out weak passwords. It is consequently important to impose the usage of strong passwords, give phishing awareness instruction to the employees, and use software programs that could detect/block phishing attacks.