National Security Agency puts out a security advisory about Chinese hackers exploiting vulnerabilities

October 21, 2020 |

The US National Security Agency prefers staying in the shadows. It is therefore notable that it has issued a very public cybersecurity advisory highlighting vulnerabilities Chinese hackers are using as part of their cyber attacks.

The advisory partly provides:

One of the greatest threats to U.S. National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and Department of Defense (DoD) information networks is Chinese state-sponsored malicious cyber activity. These networks often undergo a full array of tactics and techniques used by Chinese state-sponsored cyber actorsto exploit computer networks of interest that hold sensitive intellectual property, economic, political, and military information. Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts.

Thesame process for planning the exploitation of a computer network by any sophisticated cyber actor is used by Chinesestate-sponsored hackers. They often first identify a target, gather technical information on the target, identify any vulnerabilities associated with the target, develop or re-use an exploit for those vulnerabilities, and then launch their exploitation operation.

This advisory provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged,orscanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. Most of the vulnerabilities listed below can be exploited to gain initial access to victim networksusing products thatare directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access (T1133)1or for external web services (T1190), and should be prioritized for immediate patching. While some vulnerabilities have specific additional mitigations below, the followingmitigations generally apply:

    • Keep systems and products updated and patched as soon as possible after patches are released.
    • Expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching, making password changes and reviews of accounts a good practice.
    • Disable external management capabilitiesand set upan out-of-band management network.
    • Block obsolete or unused protocols at the network edge and disable them in device configurations.
    • solate Internet-facing services in a network Demilitarized Zone (DMZ)to reduce the exposure of the internal network.
    • Enable robust logging ofInternet-facing services and monitor the logs for signs of compromise.

Leave a Reply

Verified by MonsterInsights