Chinese hackers have been frequently observed conducting espionage activities against government agencies and private sector entities across the globe. Recently, the CISA and the FBI have published an advisory for a similar issue, which suggests that China-sponsored hackers are further increasing their capabilities to carry out disruptive actions, such as denial-of-service attacks or physical disruptions of critical infrastructure against the U.S. organizations.
The advisory suggests that China-backed hackers are upgrading their efficacy by using readily available exploits and exploit toolkits to quickly engage target networks.
China-affiliated hackers have been utilizing search engines, such as Shodan, to scan for vulnerabilities in commonly used products from Microsoft, Citrix, Pulse Secure, and F5 Networks.
The exploited products and vulnerabilities include F5 Big-IP (CVE-2020-5902), Microsoft Exchange Server (CVE-2020-0688), Citrix appliances (CVE-2019-19781), and Pulse Secure VPN Servers (CVE-2019-11510).
In addition, hackers use widely known tools, including China Chopper web shell, Cobalt Strike, and Mimikatz, to gain further access to the victims’ networks.
At times, Chinese hackers have been found taking advantage of newly announced vulnerabilities within days of their announcement.
In August, a new Chinese malware called Taidoor was found targeting U.S. government agencies, corporations, and think tanks, by exploiting commonly known vulnerabilities, such as CVE-2009-3129 and CVE-2009-4324.
In June, Chinese hackers were seen exploiting critical vulnerabilities in Telerik UI (CVE-2019-18935, CVE-2017-11317, CVE-2017-9248, and CVE-2017-11357), against Australian organizations. The exploit code for all these vulnerabilities is available publicly.
Advisories from cybersecurity agencies must be considered as a high-priority action item. Security experts recommend the implementation of robust configuration and patch management programs to boost network security while mitigating the associated risks.