The US Cybersecurity and Infrastructure Security Agency (CISA) issued a new advisory on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities.
“CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,” the cybersecurity agency said.
Over the past 12 months, the victims were identified through sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives.
By compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as Cobalt Strike, China Chopper Web Shell, and Mimikatz credential stealer to extract sensitive information from infected systems.
That’s not all. Taking advantage of the fact that organizations aren’t quickly mitigating known software vulnerabilities, the state-sponsored attackers are “targeting, scanning, and probing” US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface (CVE-2020-5902), Citrix VPN (CVE-2019-19781), Pulse Secure VPN (CVE-2019-11510), and Microsoft Exchange Servers (CVE-2020-0688) to compromise targets.
“Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,” the agency said. “While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.”
This is not the first time Chinese actors have worked on behalf of China’s MSS to infiltrate various industries across the US and other countries.
In July, the US Department of Justice (DoJ) charged two Chinese nationals for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information.
But it’s not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed “Fox Kitten” that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue multiple security alerts urging businesses to secure their VPN environments.
Stating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch routinely exploited vulnerabilities, and “audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.”