Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities – with a Pulse VPN flaw claiming the dubious title of “most-favored bug” for these groups.
That’s according to the National Security Agency (NSA), which released a “top 25” list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of Cactus Pete, TA413, Vicious Panda and Winniti.
The Feds warned in September that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.
“Many of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,” warned the NSA, in its Tuesday advisory. “Once a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.”
APTs – Chinese and otherwise – have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chloé Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.
“We definitely saw an increase in this situation last year and it’s ongoing,” she said. “They’re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies…in other words, to steal and use for their own gain.”
Pulse Secure, BlueKeep, Zerologon and More
Plenty of well-known and infamous bugs made the NSA’s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.
It’s an arbitrary file-reading flaw that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the Travelex ransomware fiasco that hit in January.
Pulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven’t applied it, CISA warned.
Another biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices (CVE-2020-5902). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that’s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.
At the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 “due to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,” researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.
The NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.
When it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to scramble to push fixes out – but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.
Other Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.
Meanwhile, Microsoft bugs are well-represented, including the BlueKeep RCE bug in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.
Another bug-with-a-name on the list is Zerologon, the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently issued a dire warning on the bug amid a tsunami of attacks.
The very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, patched in January, exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.
Two proof-of-concept (PoC) exploits were publicly released just a week after Microsoft’s January Patch Tuesday security bulletin addressed the flaw.
Then there’s a high-profile Microsoft Exchange validation key RCE bug (CVE-2020-0688), which stems from the server failing to properly create unique keys at install time.
It was fixed as part of Microsoft’s February Patch Tuesday updates – and admins in March were warned that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers were still vulnerable to the flaw.
The Best of the Rest
The NSA’s Top 25 list covers plenty of ground, including a nearly ubiquitous RCE bug (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.
Here’s a list of the other flaws:
- CVE-2018-4939 in certain Adobe ColdFusion versions.
- CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.
- CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server
- CVE-2019-11580 in Atlassian Crowd or Crowd Data Center
- CVE-2020-10189 in Zoho ManageEngine Desktop Central
- CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.
- CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component
- CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software
- CVE-2020-8515 in DrayTek Vigor devices
The advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).
“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” NSA Cybersecurity Director Anne Neuberger said in a media statement. “We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.”