Written by Shannon Vavra
Hackers connected to a Chinese intelligence agency have infiltrated U.S. government and the private sector entities in recent months by exploiting a series of common vulnerabilities, the FBI and Department of Homeland Security’s cybersecurity agency announced Monday.
Attackers tied to China’s civilian intelligence and counterintelligence service, the Ministry of State Security (MSS), have been using phishing emails with malicious links to infiltrate victim organizations, according to the alert. By including malicious software in those messages, hackers are exploiting software flaws in commercial technologies and open-source tools, including services with known fixes. F5 Networks’ Big-IP Traffic Management User Interface, Citrix VPN Appliances, Pulse Secure VPN appliances, and Microsoft Exchange Server are among those affected, says the report from the FBI and DHS’ Cybersecurity and Infrastructure Security Agency (CISA).
All of these are tools are open source and commercially available, making potentially high value espionage targets in the U.S. government relatively easy and low-cost for state-sponsored hackers to exploit. At times, the U.S. says it has observed hackers, from China and elsewhere, taking advantage of newly announced vulnerabilities within days of their announcement.
“CISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure,” the announcement states. “This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors.”
Hackers have already been successful in several cases, and have compromised at least two organizations using the F5 vulnerability, according to CISA. In some cases, entities that have left publicly known software vulnerabilities unpatched have placed at risk one of the most sensitive U.S. government operations, such as the effort to produce millions of coronavirus vaccine doses by January of 2021. Two hackers alleged to be working with the MSS allegedly used “publicly known software vulnerabilities in popular products” that had been newly announced in order to target U.S. entities in the medical and defense sectors, including those working on the coronavirus vaccine, the U.S. Department of Justice announced in July.
Suspected Chinese hackers frequently conduct economic espionage against government and private sector entities in the U.S. in order to steal intellectual property and bolster China’s technology and defense sectors. In recent years, China has developed cyberwarfare capabilities that can “create disruptive and destructive effects — from denial-of service attacks to physical disruptions of critical infrastructure,” according to a Pentagon assessment released in September.
In some cases the Chinese hackers have attempted to brute-force a Microsoft tool, known as Remote Desktop Protocol, in the federal government, CISA and the FBI announced Monday.
To take advantage, the hackers have been using Cobalt Strike, a penetration testing tool that can be used for logging keystrokes, and a web shell used to brute-force passwords known as China Chopper. The hackers have also availed themselves of Mimikatz, in a likely effort to steal victims’ account credentials and perform privilege escalation.
Chinese state-linked hackers perennially take advantage of publicly announced flaws to target vulnerable organizations. Earlier this year, state-backed hackers in China known as APT41 embarked on a sweeping espionage campaign taking aim at targets around the world that hadn’t patched previously announced vulnerabilities, according to FireEye research. The campaign worked to exploit a Citrix’s Application Delivery Controller, Cisco’s routers, and Zoho’s ManageEngine Desktop Central.
CISA and FBI warned U.S. government agencies and private sector alike to patch these and other known vulnerabilities.
“If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,” the alert warns.