CISA: Chinese hackers are exploiting Citrix, F5, Exchange flaws

The US government says that China-sponsored hackers are actively targeting well-known devices and servers

China-sponsored hackers are actively attacking vulnerabilities in popular devices and servers.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) wrote a joint statement,^[1] saying that China-sponsored hackers are attacking US government agencies and private companies through vulnerabilities in Citrix, F5, Pulse, and Microsoft Exchange servers and devices.^[2] CISA together with the FBI explained:

According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years. These hackers acted for both their own personal gain and the benefit of the Chinese MSS.

CISA warned that Chinese hackers are looking for publicly exposed and vulnerable devices with the Internet-device engine Shodan or such vulnerability databases like the National Vulnerabilities Database (NVD) and the Common Vulnerabilities and Exposure (CVE).

The US Cybersecurity and Infrastructure Security Agency (CISA)^[3] is the Nation's risk advisor. The purpose of this agency is to defend the US against today's threats and collaborating together with partners to build a more secure and resilient infrastructure for the future. CISA was established on 16 November 2018.

The most notable vulnerabilities are CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, and CVE-2020-0688

CISA explained^[1] that the threat actors are especially targeting vulnerabilities in Citrix, Pulse Secure, F5, and Microsoft Exchange Server. According to the agency, the most notable flaws are:

• CVE-2020-0688:^[4] Microsoft Exchange Server vulnerability. Hackers using this flaw to enable email collection of targeted networks.
• CVE-2020-5902:^[5] F5 Big-IP remote takeover vulnerability. Threat actors exploiting this flaw in F5's Big-IP Traffic Management User Interface to execute arbitrary system commands, delete or create files, execute Java code, and/or disable services.
• CVE-2019-11510:^[6] Pulse Secure's VPN's remote code flaw. By using this vulnerability hackers could gain access to victim's networks. CISA said that even months after the organization patched its VPN appliance, the agency still observed incidents where compromised Active Directory credentials were used by Chinese hackers.
• CVE-2019-19781:^[7] Citrix VPN directory traversal hole. This vulnerability enabled hackers to execute directory traversal attacks.

Vendors already issued patches to install for each of these vulnerabilities. Thus, private companies and government agencies should be able to protect their networks if they deploy the latest security updates.

CISA and the FBI recommends often audit configuration and patch management programs

Some of these Chinese hackers' attacks have been successful and let them gain a foothold on federal and private networks. The hacking crews from China are always looking for soft spots they could use: for example, servers with holes in their bespoke web apps. They like to abuse all available bugs and other opportunities to reach data.

The FBI and CISA wrote:^[1]

CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems.

So, if private organizations and government agencies want to be protected they should remember to patch their programs and try intrusion detection.