US Govt: China-Sponsored Hackers Targeting Exchange, Citrix, F5 Flaws

Today, the US government issued an advisory on China-sponsored hackers attacking government agencies through vulnerabilities in Microsoft Exchange, Citrix, Pulse, and F5 devices and servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is an independent federal agency that protects against and coordinates responses to threats from private and state-sponsored hackers targeting United States interests.

In a new advisory today, CISA and the FBI warn that Chinese MSS-affiliated hackers are attacking US government agencies and private companies by exploiting vulnerabilities in publicly exposed edge systems.

“According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years. These hackers acted for both their own personal gain and the benefit of the Chinese MSS,” a CISA advisory warned today.

As part of their attacks, the Chinese threat actors are looking for vulnerable and publicly exposed devices using the Internet-device search engine Shodan and vulnerability databases, such as the Common Vulnerabilities and Exposure (CVE) and the National Vulnerabilities Database (NVD).

In particular, CISA has seen the threat actors targeting vulnerabilities in F5, Citrix, Pulse Secure, and Microsoft Exchange Server to gain access to an organization’s network or collect data.

The most notable vulnerabilities CISA has seen targeted by Chinese MSS-affiliated actors are:

CVE-2020-5902: F5 Big-IP Vulnerability -This vulnerability allows remote attacker to access the Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC) without authentication and perform remote code execution.
CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances – Vulnerabilities in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP allow remote unauthenticated attackers to remotely execute commands to gain access to a network.
CVE-2019-11510: Pulse Secure VPN Servers – This vulnerability enables unauthenticated, remote attackers to send specially crafted URIs to connect to vulnerable servers and read sensitive files containing user credentials. These can later be used to take control of an organizations’ systems and more.
CVE-2020-0688: Microsoft Exchange Server – This flaw is present in the Exchange Control Panel (ECP) component, and it is caused by Exchange’s failure to create unique cryptographic keys when being installed. Once exploited, attackers can perform remote code execution (RCE) on the server with SYSTEM privileges.

Also read: Website Ownership Laws: Your Rights And What It Protects

Attempt to spread laterally through a network

Once a network is compromised, the China-sponsored hackers will download a variety of tools that allow them to gain further access to computers on the network.

During digital forensics and incident response (DFIR), CISA has noted that the threat actors are commonly downloading specific tools as part of their attacks.

The most common tools are:

Cobalt Strike: Cobalt Strike is a legitimate adversary simulation platform intended to be used by security professionals to assess a network’s security. Threat actors are using cracked versions as part of their attacks to enable backdoor access to compromised systems and deploy additional tools on the network.
China Chopper Web Shell: This tool allows threat actors to install a PHP, ASP, ASPX, JSP, and CFM webshells (backdoor) on publicly exposed web servers. Once the China Chopper Web Shell is installed, the attackers gain full access to a remote server through the exposed web site.
Mimikatz: Mimikatz is a post-exploitation tool that allows attackers to dump Windows credentials stored in a computer’s memory. This tool is commonly used by threat actors, including ransomware operations, utilize to gain access to administrator credentials, and therefore, compromise Windows domain controllers.

Using the above three tools, a threat actor can spread from a locked-down system to other devices until they gain full control of the network.

In addition, CISA warned that the threat actors are utilizing the Microsoft Exchange CVE-2020-0688 RCE vulnerability to “to collect emails from the exchange servers found in Federal Government environments.”

Suggested mitigations

To protect against these types of attacks, CISA and the FBI advise that all organizations perform routine audits of their infrastructure and implement a robust patch management strategy.

“CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems,” CISA and FBI advise in the advisory.

All organizations are strongly advised to make sure the following patches are installed on affected devices to prevent them from being exploited by threat actors.

Vulnerability	Patch Information
CVE-2020-5902	F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902
CVE-2019-19781	Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3 Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0 Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5
CVE-2019-11510	Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
CVE-2020-0688	Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability