NSA Lists 25 Vulnerabilities Chinese APT Groups Are Chasing Right Now
Cybercriminals are consistently scanning and exploiting publicly available security bugs. Recently, the National Security Agency (NSA) has published a report, detailing the top 25 vulnerabilities exploited by hackers, urging organizations in the U.S. public and private sectors to prioritize for action.
The top 25 vulnerabilities
According to the report, Chinese state-sponsored hackers were seen abusing these vulnerabilities to launch strategic hacking operations against a multitude of victim networks.
- Most of these vulnerabilities belong to products related to remote access or external web services. Such products, accessible via the internet, are often exploited to gain initial access inside the victim’s network.
- Exploits in the enterprise products including gateways (including Citrix ADC and Gateway, Symantec Messaging Gateway), VPN (Pulse Secure VPN), load balancers (F5 BIG-IP), etc. could provide direct remote access to the attackers.
- Several vulnerabilities in the list target Windows OS and its services, such as Remote Desktop Services (Blukeep vulnerability), Netlogon (Zerologon), DNS server (SigRed), etc.
- Additional products include business applications such as email servers (such as Microsoft Exchange, Exim mail), and application servers (such as Oracle WebLogic, Zoho ManageEngine, Adobe ColdFusion), that are being targeted by Chinese hackers.
Recent exploitation of these flaws
Not only Chinese hackers but several other low-level malware groups, ransomware gangs, and other state-sponsored hackers (including Russia, and Iran) were seen exploiting the above-mentioned vulnerabilities.
- Threats actors such as TA505, MuddyWater, and Ryuk were seen abusing the ZeroLogon vulnerability (CVE-2020-1472) to target public and private sector organizations.
- Hackers were seen combining VPN (CVE-2019-11510) and Windows bugs to gain access to government networks, for which CISA and the FBI had issued prior warnings.
- F5 BIG-IP (CVE-2020-5902), and Pulse Secure VPN servers (CVE-2019-11510) were also recently targeted by hackers.
- In September, Iranian hacking group Pioneer Kitten was seen taking advantage of several unpatched vulnerabilities (CVE-2020-5902, CVE-2019-11510, and CVE-2019-19781) to target U.S. businesses and federal agencies.
The bottom line
The exploitation of such vulnerabilities could lead to the compromise of sensitive information related to a country’s policies, strategies, plans, and competitive advantage. Fortunately, all the vulnerabilities listed by researchers have patches available from their vendors. Thus, users are recommended to patch these and all other known vulnerabilities to avoid any undue risks to their infrastructure.