Chinese threat actors targeting U.S. government agencies and these 4 CVEs

Chinese threat actors targeting U.S. government agencies and these 4 CVEs

Chinese Ministry of State Security (MSS)-affiliated cyber threat actors are targeting U.S. government agencies, as well as exploiting four popular vulnerabilities over the past 12 months.

According to a report issued by Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), the actors operate from the People’s Republic of China.

Furthermore, CISA said the “actors are routinely using open-source information to plan and execute cyber operations” and commercially available information sources.

“According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years. These hackers acted for both their own personal gain and the benefit of the Chinese MSS,” CISA explained in the advisory.

In addition, CISA said these common Critical CVEs are the most targeted by Chinese MSS-affiliated actors in the last 12 months:

  • CVE-2020-5902: F5 Big-IP Vulnerability
  • CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances
  • CVE-2019-11510: Pulse Secure VPN Servers
  • CVE-2020-0688: Microsoft Exchange Server.

Each of the CVEs are briefly explained below along with a link to recent articles with more details.

1) CVE-2020-5902

In June of this year, F5 patched a Critical remote code execution (RCE) vulnerability CVE-2020-5902 in the Configuration utility of BIG-IP. Researchers further discovered 8,000 devices were vulnerable on the internet and could result in full system compromise.

2) CVE-2019-19781

Earlier this year in January, Citrix published a permanent fix for a critical vulnerability CVE-2019-19781 in affected versions of Citrix SD-WAN WANOP.

The update came nearly five days after Citrix provided firmware updates for the same vulnerability in Application Delivery Controller (ADC) and Citrix Gateway products. An unathenticated attacker could exploit the vulnerability and execute arbitrary code.

3) CVE-2019-11510

According to a Department of Homeland Security (DHS) advisory released this past April, organizations that were running Pulse Security VPN devices may still be at risk of being exploited, even if previously patched..

The risk is elevated if an actor previously exploited CVE-2019-11510 and stole AD credentials from the victim organization.

Although the VPN patch was released in April of 2019, threat actors continued to exploit CVE-2019-11510 throughout 2019 and into this year.

4) CVE-2020-0688

According to a Microsoft security advisory, a remote code execution vulnerability CVE-2020-0688 exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

The vulnerability was fixed as party of February 2020 Security Updates.

Related Articles