According to the assessment made by NSA, CISA and FBI, the People’s Republic of China has sponsored cyber actors to exploit the commonly known vulnerabilities and exposures. These state-sponsored cyber actors exploit known vulnerabilities to actively target government as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.
NSA, CISA, and FBI suggest governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the mitigations section to increase their defensive posture and reduce the threat of compromise from the state-sponsored malicious cyber actors.
Top vulnerabilities exploited by PRC state-sponsored cyber actors since 2020
Companies affected – Apache, Pulse Connect Secure, GitLab, Atlassian, Microsoft, F5 Big-IP, VMware, Citrix ADC, Cisco, Buffalo, Hikvision, Sitecore, ZOHO.
Exploits – Remote Code Execution, Arbitrary File Read, Path Traversal, Command Line Execution, Command Injection, Authentication Bypass by Spoofing.
These state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the vulnerabilities allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks. PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques—some of which pose a significant risk to technology organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.
Important mitigation measures
NSA, CISA, and FBI suggest organizations to apply the below recommendations on a regular basis:
- Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in the CSA and other known exploited vulnerabilities.
- Utilize phishing-resistant multi-factor authentication whenever possible. Mandate all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised.
- Block obsolete or unused protocols at the network edge.
- Upgrade or replace end-of-life devices.
- Move toward the Zero-Trust security model.
- Enable robust logging of internet-facing systems and monitor the logs for anomalous activity.