The U.S. National Security Agency (NSA) warns that Chinese state-sponsored hackers exploit 25 different vulnerabilities in attacks against U.S. organizations and interests.

In an advisory issued today, the NSA said that it is aware of targeted attacks by Chinese state-sponsored hackers against National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and the Department of Defense (DoD) information networks.

As part of these attacks, the NSA has seen twenty-five publicly disclosed vulnerabilities exploited to gain access to networks, deploy malicious mobile apps, and spread laterally through a system while attackers steal sensitive data.

The NSA is advising all organizations to immediately patch vulnerable devices to protect against cyberattacks that lead to data theft, banking fraud, and ransomware attacks.

“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” NSA Cybersecurity Director Anne Neuberger said.

“We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.”

Vulnerabilities used in different phases of attack

The NSA has categorized the vulnerabilities into different buckets to illustrate how they are being used in cyberattacks.

Exploit secure remote access: To gain access to networks, Chinese threat actors utilize seven different vulnerabilities, many of which also provide credentials that can be used to spread further on the network.

  • CVE-2019-11510 – A Pulse Secure VPN vulnerabilities that allow an unauthenticated attacker to gain access to VPN credentials.
  • CVE-2020-5902 – A F5 BIG-IP® 8 proxy / load balancer remote code execution vulnerability.
  • CVE-2019-19781 – A Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability, which can lead to remote code execution without credentials.
  • CVE-2020-8193 – Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP vulnerability allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users
  • CVE-2020-8195 – Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP vulnerability allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users
  • CVE-2020-8196 – Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP vulnerability allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users
  • CVE-2019-0708 – The Windows BlueKeep Remote Desktop Service vulnerability allows unauthenticated users to perform remote code execution.

Exploit Mobile Device Management (MDM): By compromising MDM servers, threat actors can push out malicious mobile apps or change device configurations that send traffic through attacker-controlled proxy servers or hosts.

  • CVE-2020-15505 – A remote code execution vulnerability in the MobileIron 13 mobile device management (MDM)

Exploit Active Directory for Lateral Movement and Credential Access:

  • CVE-2020-1472 – The critical 10/10 Windows ZeroLogon Netlogon elevation of privilege vulnerability allows threat actors to quickly gain access to domain administrator credentials on a domain controller. From there, they can harvest sensitive data or deploy malware, such as ransomware.
  • CVE-2019-1040 – A Windows NTLM vulnerability allows attackers to reduce the built-in security for the Windows operating system.

Exploit public-facing servers: Attackers use these vulnerabilities to bypass authentication in web servers, email servers, or DNS to remotely execute commands on the internal network. For compromised web servers, attackers can utilize them in watering-hole attacks to target future visitors.

  • CVE-2020-1350 – The Windows DNS server SigRed vulnerability allows attackers to spread laterally through a network.
  • CVE-2018-6789 – An Exim mail server vulnerability allows unauthenticated, remote code execution.
  • CVE-2018-4939 – Adobe ColdFusion 14 vulnerability that could lead to arbitrary code execution

Exploit internal servers: These vulnerabilities are used to spread laterally throughout a network and gain access to internal servers, where the attackers can steal valuable data.

  • CVE-2020-0688 – A Microsoft Exchange vulnerability that allows authenticated users to perform remote code execution.
  • CVE-2015-4852 – The WLS Security component in Oracle WebLogic15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java16 object.
  • CVE-2020-2555 – A vulnerability exists in the Oracle® Coherence product of Oracle Fusion® Middleware. This easily exploitable
  • CVE-2019-3396 – A server-side template injection vulnerability is present in the Widget Connector in Atlassian Confluence servers that allows remote attackers to perform remote code execution and path traversal.
  • CVE-2019-11580 – Attackers who can send requests to an Atlassian® Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, permitting remote code execution. This vulnerability was used in GandCrab ransomware attacks in the past.
  • CVE-2020-10189 – Zoho ManageEngine 18 Desktop Central vulnerability allows remote code execution. This bug was used in attacks to deploy backdoors.
  • CVE-2019-18935 – A vulnerability in Telerik 19 UI for ASP.NET AJAX can lead to remote code execution. It was seen used by a hacker group named ‘Blue Mockingbird’ to install Monero miners on vulnerable servers but could be used to spread laterally as well.

Exploit user work workstations for local privilege escalation: When an attacker gains access to a workstation, their ultimate goal is to gain administrative credentials or privileges. Using these vulnerabilities, a hacker can elevate their privileges to SYSTEM or administrator access.

  • CVE-2020-0601 – A Windows CryptoAPI Spoofing vulnerability discovered by the NSA allows attackers to spoof code-signing certificates to make malicious executables appear to be signed by a legitimate trusted company.
  • CVE-2019-0803 – An elevation of privilege vulnerability exists in Windows® when the Win32k component fails to properly handle objects in memory.

Exploit network devices: This final bucket of vulnerabilities allows attackers to monitor and modify network traffic as it flows over the device.

  • CVE-2017-6327 – The Symantec 22 Messaging Gateway can encounter a remote code execution issue.
  • CVE-2020-3118 – A Cisco ‘CDPwn’ vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS 23 XR Software could allow remote code execution.
  • CVE-2020-8515 – DrayTek Vigor 24 devices enable remote code execution as root (without authentication) via shell metacharacters

As Chinese state-sponsored hackers have been seen utilizing a combination of these vulnerabilities, it is strongly advised that all administrators patch them as soon as possible.