CISA Issues Warning on Chinese Cyber Espionage Attacks

Telecommunications industry remains the top target

• The advisory reveals that the attacks are primarily aimed at telecommunications companies and are conducted by exploiting vulnerabilities.
• The attackers have been frequently exploiting a series of previously-known vulnerabilities since 2020. 
• These include three vulnerabilities affecting Cisco devices, four affecting QNAP devices, two affecting Pulse Secure devices, and one each in devices from Citrix, D-Link, Fortinet, Netgear, MikroTik, and DrayTek. 
• Cyber attackers are using software frameworks such as RouterSploit and RouterScan to scan devices affected by these vulnerabilities. Once the vulnerable device is detected, it enables threat actors to gain access to victim accounts or public-facing applications.   
• Upon gaining an initial foothold into a telecommunications organization or network service provider, the cyber actors identify critical users, systems, and infrastructure to maintain persistence for a long time.  
• The CISA notes that the compromised devices further work as C2 servers and proxy systems for threat actors to breach more networks. 

Other notable incidents observed recently

• Besides targeting organizations in the telecommunications sector, researchers have reported the alleged involvement of Chinese threat actors in other espionage attacks.
• In one incident, Proofpoint revealed that a threat actor tracked as TA413 had exploited the Follina vulnerability to launch attacks against the Tibetan community. The threat actors used the ‘Women Empowerment Desk’ of the Central Tibetan Administration as a lure to target the community.
• Recently, the threat landscape also saw the re-emergence of an extremely sophisticated Chinese APT, dubbed LuoYu, that used the man-in-the-middle attack to deliver WinDealer malware.  
• The malware was used against Windows, Linux, and macOS machines, as well as Android devices.

What does CISA suggest?