Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs

cisa flaw exploit

Monday’s CISA advisory is a staunch reminder for federal government and private sector entities to apply patches for flaws in F5 BIG-IP devices, Citrix VPNs, Pulse Secure VPNs and Microsoft Exchange servers.

The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.

Patches are currently available for all these flaws – and in some cases, have been available for over a year – however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security.

Threatpost Webinar Promo Bug Bounty

Click to Register

“CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,” according to a Monday CISA advisory. “Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems.”

No further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities  – allowing them to compromise federal government and commercial entities, according to CISA.

The first is a vulnerability (CVE-2020-5902) in F5’s Big-IP Traffic Management User Interface, which allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. As of July, about 8,000 users of F5 Networks’ BIG-IP family of networking devices were still vulnerable to the critical flaw.

Feds also observed the attackers exploiting an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances (CVE-2019-11510). This flaw – speculated to be the cause of the Travelex breach earlier this year –  allows bad actors to gain access to victim networks.

“Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance,” according to the advisory.

Threat actors were also observed hunting for Citrix VPN Appliances vulnerable to CVE-2019-19781, which is a flaw that enables attackers to execute directory traversal attacks. And, they have also been observed attempting to exploit a Microsoft Exchange server remote code execution flaw (CVE-2020-0688) that allows attackers to collect emails of targeted networks.

As part of its advisory, CISA also identified common TTPs utilized by the threat actors. For instance, threat actors have been spotted using the Cobalt Strike commercial penetration testing tool to target commercial and federal government networks; they have also seen the actors successfully deploying the open-source China Chopper tool against organization networks and using open-source tool Mimikatz.

The initial access vector for these cyberattacks vary. CISA said it has observed threat actors utilize malicious links in spearphishing emails, as well as exploit public facing applications. In one case, CISA observed the threat actors scanning a federal government agency for vulnerable web servers, as well as scanning for known vulnerabilities in network appliances (CVE-2019-11510). CISA also observed threat actors scanning and performing reconnaissance of federal government internet-facing systems shortly after the disclosure of “significant CVEs.”

CISA said, maintaining a rigorous patching cycle continues to be the best defense against these attacks.

“If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,” according to the advisory.

Terence Jackson, CISO at Thycotic, echoed this recommendation, saying the advisory sheds light on the fact that organizations need to keep up with patch management. In fact, he said, according to a recent Check Point report, 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier – and more than 20 percent of the attacks used vulnerabilities that are at least seven years old.

“Patch management is one of the fundamentals of security, however, it is difficult and we are still receiving a failing grade. Patch management, enforcing MFA and least privilege are key to preventing cyber-attacks in both the public and private sectors,” he told Threatpost.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles