The US National Security Agency (NSA) published a report detailing the top 25 vulnerabilities currently being exploited by Chinese state-sponsored hacking groups. The NSA said that the bugs exist in web services or remote access tools.
The vulnerabilities are directly accessible from the Internet and can act as gateways to organizations’ internal networks, according to the NSA. Apart from the Chinese hackers, other state-sponsored threat actors from Russia and Iran had also exploited some of these top vulnerabilities to compromise computer systems.
The NSA considered the Chinese malicious cyber activity to be among the greatest risks facing the US Defense Industrial Base (DIB), the US National Security Systems (NSS), and the Department of Defense (DoD) information networks. Thus, the federal agency urges organizations in the public and private sectors to patch their systems.
Top vulnerabilities exploited by Chinese hackers
The NSA noted that all the top vulnerabilities exploited by Chinese hackers are well known and have existing patches. Many top vulnerabilities were incorporated into various exploit kits used by ransomware gangs, state-sponsored hackers, and malware groups.
Earlier, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint alert on cybercriminal gangs using vulnerability chaining to compromise election systems using Zerologon and VPN vulnerabilities. Top vulnerabilities exploited by Chinese hackers include:
CVE-2019-11510 (arbitrary file disclosure bug) – Pulse Secure VPN vulnerability allows an unauthenticated user to perform arbitrary file reading through a specially crafted URI. The bug could allow an attacker to read usernames and passwords.
CVE-2020-5902 – F5 BIG-IP proxies and load balancer Remote Code Execution (RCE) vulnerability on the Traffic Management User Interface (TMUI). The bug allows an attacker to take over remote access-enabled devices.
CVE-2019-19781 (Directory transversal bug) – Exists on Citrix Application Delivery Controller (ADC) and Gateway. The vulnerability allows remote code execution by an unauthenticated attacker.
CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 (Citrix ADC and Gateway bugs) –The three Citrix bugs allow unauthenticated access of certain URL endpoints by non-privileged users. The vulnerability also affects SDWAN WAN-OP devices.
CVE-2019-0708 (BlueKeep vulnerability) – This remote code execution vulnerability exists in Remote Desktop Services running on Windows operating systems.
CVE-2020-15505 – MobileIron remote code execution vulnerability in the mobile device management (MDM) software. The bug allows an attacker to execute arbitrary code and control remote servers.
CVE-2020-1350 (SIGRed) – A Windows Domain Name System (DNS) Server vulnerability allowing remote code execution when the servers fail to handle requests properly.
CVE-2020-1472 (Zerologon) – Vulnerability allows an attacker to connect to a Windows Domain Controller via a vulnerable Netlogon secure channel using the Netlogon Remote Protocol (MS-NRPC).
CVE-2019-1040 – Vulnerability on Microsoft Windows allows the man-in-the-middle (MiTM) by circumventing the NTLM Message Integrity Check (MIC) protection.
CVE-2018-6789 – Exim mail transfer agent vulnerability allows an attacker to control mail servers by sending a specially crafted message. The attack exploits the buffer overflow exception in the targeted application.
CVE-2020-0688 – Microsoft Exchange remote code execution vulnerability. The fault arises when the software fails to handle objects in memory properly.
CVE-2018-4939 – Deserialization of Untrusted Data vulnerability existing on some Adobe ColdFusion versions. The bug allows arbitrary code execution by a remote attacker.
CVE-2015-4852 – The vulnerability exists on Oracle WebLogic 15 Server’s WLS Security component. The bug allows a remote attacker to execute arbitrary commands through a specially crafted serialized Java object
CVE-2020-2555 – Oracle Fusion Middleware vulnerability on the Oracle Coherence component. The vulnerability allows an unauthenticated attacker to compromise Oracle Coherence systems through T3 network access.
CVE-2019-3396 – Path transversal and remote code execution vulnerability existing in the Widget Connector macro in Atlassian Confluence 17 Server. The bug allows attackers to compromise Confluence Server or Data Center instance through server-side template injection.
CVE-2019-11580 – An attacker can install arbitrary plugins to carry out remote code execution attacks by sending commands to Atlassian Crowd or Crowd Data Center instance.
CVE-2020-10189 – Zoho ManageEngine Desktop Central remote code execution vulnerability. The bug originates from the deserialization of untrusted data.
CVE-2019-18935 – A remote code execution vulnerability on the Progress Telerik UI for ASP.NET AJAX. The bug allows the .NET deserialization process to take place in the RadAsyncUpload component.
CVE-2020-0601 (CurveBall) – Spoofing vulnerability on the Windows CryptoAPI (Crypt32.dll), which validates Elliptic Curve Cryptography (ECC) certificates. An attacker could use a spoofed code-signing certificate to sign a malicious executable. The vulnerability allows a threat actor to impersonate a trusted source.
CVE-2019-0803 – Elevation of privilege vulnerability in Windows when the Win32K component fails to handle objects in memory properly.
CVE-2017-6327 – Remote code execution possibility in The Symantec Messaging Gateway.
CVE-2020-3118 – Exists on the Cisco Discovery Protocol implementation for Cisco IOS XR Software. An authenticated or an adjacent attacker can cause reload or execute arbitrary code on the affected device.
CVE-2020-8515 – Bug allows remote code execution attacks on DrayTek Vigor devices by an unauthenticated root user.
According to Jayant Shukla, CTO and Co-founder of K2 Cyber Security, keeping software updated is the surest method of preventing Chinese hackers from exploiting any of the top vulnerabilities.
“For organizations that can’t keep up to date or don’t have the resources to keep their software up to date, they should look into virtual patching solutions that protect the application, like the ones offered by RASP (Runtime Application Self-Protection) solutions, which are now mandated by the latest version of the NIST SP800-53 Revision 5 Security and Privacy Framework. RASP solutions also protect the organization against new and unpatched vulnerabilities.”
Chloé Messdaghi, VP of Strategy at Point3 Security, says that affiliated and independent Chinese hackers were actively trying to exploit the top vulnerabilities for self-gain.
“Chinese attackers could be [a] nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies … in other words, to steal and use for their own gain.”
Apart from NSA’s top vulnerabilities, Chinese hackers would not hesitate to exploit any existing vulnerability to compromise the United States’ computer systems. They could use vulnerability chaining to increase the lethality of their attacks by combining several vulnerabilities to weaken the system further and create a foothold.
Chinese government responds to NSA’s cyberespionage accusations
China’s Foreign Ministry protested the US agency’s accusation of international cyber espionage. In return, Beijing’s government labeled the US as an “empire of hacking,” citing various cyberespionage programs such as PRISM. The program was the largest cyber espionage campaign, which was exposed by Snowden.
Zhao Lijian, Chinese Foreign Ministry spokesman, added that the US had a “natural advantage” in exploiting vulnerabilities because of its leading role in software and hardware development. Lijian also noted that the US and “The Five Eyes” group members had demanded backdoors on various apps such as WhatsApp to allow spying. WhatsApp uses an end-to-end encryption algorithm to prevent the interception of communication by third parties.
Cyber espionage counter accusations are common between the US and China. Chinese cybersecurity company, Qihoo 360, had accused the CIA of conducting an 11-year cyber espionage campaign against Chinese airlines. The US cybersecurity firm Symantec also reported that Chinese hackers had stolen NSA’s hacking tools and used them against US allies.