NSA lists top 25 vulnerabilities routinely exploited by Chinese hackers

The U.S. National Security Agency has released a list of top 25 security vulnerabilities that Chinese hackers are actively exploiting to steal intellectual property, economic, political, and military information.

The National Security Agency said that "Chinese state-sponsored malicious cyber actors" are actively exploiting these vulnerabilities to target networks and devices which are directly accessible from the Internet and which hold sensitive intellectual property, economic, political, and military information.

"Once a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside," NSA said, adding that Chinese state-sponsored malicious cyber activity is a threat to Department of Defense systems, the U.S. Defense Industrial Base, as well as all National Security Systems.

“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts. We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems,” said Anne Neuberger, Cybersecurity Director at the NSA.

Even though Chinese state-sponsored hackers are using a variety of techniques to infiltrate targeted networks and devices and exfiltrate information that is of use to their masters, NSA said organisations can protect their devices and networks from cyber attacks as most of the vulnerabilities exploited by hackers are publicly known and mitigations for them are already available.

The list of 25 most-exploited vulnerabilities includes CVE-2019-11510 (affecting Pulse Secure VPNs), CVE-2019-19781 (a flaw in Citrix Gateway), CVE-2019-0708 (a flaw in remote desktop services), CVE-2020-15505 (RCE flaw in MobileIron mobile device management software), CVE-2019-1040 (flaw enabling MITM attacks on Windows devices), and CVE-2015-4852 (vulnerability in Oracle WebLogic Server). The full list of vulnerabilities can be viewed here.

Chinese hackers associated with APT41 exploited software flaws to target multiple organisations

The announcement from the U.S. National Security Agency comes not long after five Chinese hackers working for state-sponsored hacker group APT41 were charged in the U.S. for targeting a large number of companies and individuals in multiple countries as well as pro-democracy politicians and activists in Hong Kong.

According to security firm FireEye, the hackers abused recently-disclosed vulnerabilities in software developed by Cisco, Citrix, and others to try to break into scores of companies' networks in the United States, Canada, Britain, Mexico, Saudi Arabia, Singapore, and more than a dozen other countries.

Three of the five Chinese hackers were found to be associated with a Chinese company named Chengdu 404 Network Technology. According to DOJ, the hackers used sophisticated hacking techniques to gain and maintain access to the computer networks of over a hundred companies, organisations, and individuals in the United States and in Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam.

DOJ added that the three hackers also compromised government computer networks in India and Vietnam and targeted, but failed to compromise, government computer networks in the United Kingdom. They also targeted the network of a non-profit organization dedicated to combating global poverty with ransomware attacks.

Commenting on the latest advisory issued by NSA, Jamie Akhtar, CEO and co-founder of CyberSmart, says that while the general impression is that cyber crime is sophisticated and difficult to protect against, this news demonstrates that even highly professional criminals are often just exploiting known vulnerabilities that organisations and the public haven't taken the time to address.

Organisations must maintain SOPs to patch vulnerable software ASAP

According to Ciaran Byrne, head of platform operations at Edgescan, organisations must have a procedure in place to update vulnerable software as soon as possible from the date the fix has been released in order to prevent hackers from exploiting unpatched vulnerabilities.

"Sometimes it is not always practical or possible to update software straight away as certain elements rely on a specific version or the update requires scheduling downtime, however, a plan and a timeline should be put in place. Organisations should be asking the questions:

  • Why it can’t be patched now?
    • Is the software we are using/system using the software so out of date that we need to change it?
  • What can we do to protect ourselves while unpatched?
    • Allow access to specific ports only from a predefined list of IPs by using a firewall, or block access to the system using the software from the internet completely
    • Is the current risk associated low enough to not patch – no sensitive information could be stolen, no other systems are connected, no possibility of leveraging the exposed vulnerability into something more nefarious? This risk assessment should be carried out by trained professionals
  • When will we patch?"

Copyright Lyonsdown Limited 2020