If you are looking to defend your organization or agency from Chinese nation-state cyberattacks, you have your work cut out for you.
The United States National Security Agency (NSA) sums up the threat for Chinese hacking targets and targeted networks:
"These networks often undergo a full array of tactics and techniques used by Chinese state-sponsored cyber actors to exploit computer
networks of interest that hold sensitive intellectual property, economic, political, and military information. Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts."
And that's why the NSA issued a cybersecurity advisory, titled Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities.
Known exploits being attacked by Chinese nation-state hackers
There are more than a dozen listed vulnerabilities the U.S. government has observed Chinese hackers trying to exploit. Here are five of them:
1. PulseSecure VPNS - CVE-2019-11510
"In Pulse Secure VPNs, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords."
2. CITRIX Gateways and Controllers - multiple CVEs
"Improper access control and input validation, in Citrix® ADC and Citrix® Gateway and Citrix® SDWAN WAN-OP, allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users."
3. Windows Vulnerabilities - multiple CVEs
Privilege escalation: "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle
objects in memory."
RCE: "A Microsoft Exchange validation key remote code execution vulnerability exists when the software fails to properly handle objects in memory."
Man-in-the-Middle attack: "A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to
successfully bypass the NTLM MIC (Message Integrity Check) protection."
4. MobileIron Vulnerabilities - multiple CVEs
"A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code via unspecified vectors"
5. Oracle Vulnerabilities - multiple CVEs
Authentication: "A vulnerability exists in the Oracle® Coherence product of Oracle Fusion® Middleware. This easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence."
RCE: "The Widget Connector macro in Atlassian Confluence Server allows remote attackers to achieve path traversal and remote code execution on a Confluence® Server or Data Center instance via server-side template injection."
Read the complete list of vulnerabilities knowingly being exploited by Chinese nation-state hackers. And if you read the list, expect to find the following:
"Most of the vulnerabilities listed... can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching."
Remote access and external web services are fantastic tools for getting business done. And that includes China's business of global cyberattacks.
