Chinese hacker

NSA, CISA, and the FBI revealed today the top security vulnerabilities most exploited by hackers backed by the People's Republic of China (PRC) to target government and critical infrastructure networks.

The three federal agencies said in a joint advisory that Chinese-sponsored hackers are targeting U.S. and allied networks and tech companies to gain access to sensitive networks and steal intellectual property.

"NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks," the advisory says.

"This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs)."

The advisory also bundles recommended mitigations for each of the security flaws most exploited by Chinese threat actors, as well as detection methods and vulnerable technologies to help defenders spot and block incoming attack attempts.

The following security vulnerabilities have been the top most exploited by Chinese-backed state hackers since 2020, according to the NSA, CISA, and the FBI.

Vendor

CVE

Vulnerability Type

Apache Log4j

CVE-2021-44228

Remote Code Execution

Pulse Connect Secure

CVE-2019-11510

Arbitrary File Read

GitLab CE/EE

CVE-2021-22205

Remote Code Execution

Atlassian

CVE-2022-26134

Remote Code Execution

Microsoft Exchange

CVE-2021-26855

Remote Code Execution

F5 Big-IP

CVE-2020-5902

Remote Code Execution

VMware vCenter Server

CVE-2021-22005

Arbitrary File Upload

Citrix ADC

CVE-2019-19781

Path Traversal

Cisco Hyperflex

CVE-2021-1497

Command Line Execution

Buffalo WSR

CVE-2021-20090

Relative Path Traversal

Atlassian Confluence Server and Data Center

CVE-2021-26084

Remote Code Execution

Hikvision Webserver

CVE-2021-36260

Command Injection

Sitecore XP

CVE-2021-42237

Remote Code Execution

F5 Big-IP

CVE-2022-1388

Remote Code Execution

Apache

CVE-2022-24112

Authentication Bypass by Spoofing

ZOHO

CVE-2021-40539

Remote Code Execution

Microsoft

CVE-2021-26857

Remote Code Execution

Microsoft

CVE-2021-26858

Remote Code Execution

Microsoft

CVE-2021-27065

Remote Code Execution

Apache HTTP Server

CVE-2021-41773

Path Traversal

Mitigation measures

NSA, CISA, and FBI also urged U.S. and allied governments, critical infrastructure, and private sector orgs to apply the following mitigation measures to defend against Chinese-sponsored cyber-attacks.

The three federal agencies advise organizations to apply security patches as soon as possible, use phishing-resistant multi-factor authentication (MFA) whenever possible, and replace end-of-life network infrastructure no longer receiving security patches.

They also recommend moving towards the Zero Trust security model and enabling robust logging on internet-exposed services to detect attack attempts as soon as possible.

Today's joint advisory follows two others that shared information on tactics, techniques, and procedures (TTPs) used by Chinese-backed threat groups (in 2021) and publicly known vulnerabilities they exploit in attacks (in 2020).

In June, they also revealed that Chinese state hackers had compromised major telecommunications companies and network service providers to steal credentials and harvest data.

On Tuesday, the U.S. Government also issued an alert about state-backed hackers stealing data from U.S. defense contractors using a custom CovalentStealer malware and the Impacket framework.

Related Articles:

US government discloses more ransomware attacks on water plants

CISA cautions against using hacked Ivanti VPN gateways even after factory resets

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

Russian hackers shift to cloud attacks, US and allies warn

US govt shares cyberattack defense tips for water utilities