Chinese Ministry of State Security (MSS)-affiliated cyber threat actors are targeting U.S. government agencies, as well as exploiting four popular vulnerabilities over the past 12 months.
According to a report issued by Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), the actors operate from the People’s Republic of China.
Furthermore, CISA said the “actors are routinely using open-source information to plan and execute cyber operations” and commercially available information sources.
“According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years. These hackers acted for both their own personal gain and the benefit of the Chinese MSS,” CISA explained in the advisory.
In addition, CISA said these common Critical CVEs are the most targeted by Chinese MSS-affiliated actors in the last 12 months:
- CVE-2020-5902: F5 Big-IP Vulnerability
- CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances
- CVE-2019-11510: Pulse Secure VPN Servers
- CVE-2020-0688: Microsoft Exchange Server.
Each of the CVEs are briefly explained below along with a link to recent articles with more details.
In June of this year, F5 patched a Critical remote code execution (RCE) vulnerability CVE-2020-5902 in the Configuration utility of BIG-IP. Researchers further discovered 8,000 devices were vulnerable on the internet and could result in full system compromise.
Earlier this year in January, Citrix published a permanent fix for a critical vulnerability CVE-2019-19781 in affected versions of Citrix SD-WAN WANOP.
The update came nearly five days after Citrix provided firmware updates for the same vulnerability in Application Delivery Controller (ADC) and Citrix Gateway products. An unathenticated attacker could exploit the vulnerability and execute arbitrary code.
According to a Department of Homeland Security (DHS) advisory released this past April, organizations that were running Pulse Security VPN devices may still be at risk of being exploited, even if previously patched..
The risk is elevated if an actor previously exploited CVE-2019-11510 and stole AD credentials from the victim organization.
Although the VPN patch was released in April of 2019, threat actors continued to exploit CVE-2019-11510 throughout 2019 and into this year.
According to a Microsoft security advisory, a remote code execution vulnerability CVE-2020-0688 exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.
The vulnerability was fixed as party of February 2020 Security Updates.
- F5 patches Critical RCE vulnerability (CVE-2020-5902) in BIG-IP configuration utility
- Citrix patches Critical vulnerability exploited in the wild (updated)
- APT41 launches broad cyber campaign with multiple exploits
- Alert: Threat actors continue to exploit patched Pulse Secure VPN devices
- Attackers continue to target unpatched Pulse Secure VPN systems
- Patch these 10 most commonly exploited vulnerabilities
- Microsoft February 2020 Security Updates (includes IE zero-day fix)