US-CERT- AA22-279A: Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors

Netwörkheäd · October 06, 2022, 06:23:37 PM

AA22-279A: Top CVEs Actively Exploited By People's Republic of China State-Sponsored Cyber Actors

[html]Original release date: October 6, 2022

Summary

This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People's Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.

This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).

NSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.

For more information on PRC state-sponsored malicious cyber activity, see CISA's https://www.cisa.gov/uscert/china">China Cyber Threat Overview and Advisories webpage, FBI's https://www.ic3.gov/Home/IndustryAlerts">Industry Alerts, and NSA's https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/">Cybersecurity Advisories & Guidance.

Download the PDF version of this report: https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF">pdf, 409 KB

Technical Details

NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks. PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques—some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.

PRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. See Table 1 for the top used CVEs.

Table I: Top CVEs most used by Chinese state-sponsored cyber actors since 2020

Vendor	CVE	Vulnerability Type
Apache Log4j	CVE-2021-44228	Remote Code Execution
Pulse Connect Secure	CVE-2019-11510	Arbitrary File Read
GitLab CE/EE	CVE-2021-22205	Remote Code Execution
Atlassian	CVE-2022-26134	Remote Code Execution
Microsoft Exchange	CVE-2021-26855	Remote Code Execution
F5 Big-IP	CVE-2020-5902	Remote Code Execution
VMware vCenter Server	CVE-2021-22005	Arbitrary File Upload
Citrix ADC	CVE-2019-19781	Path Traversal
Cisco Hyperflex	CVE-2021-1497	Command Line Execution
Buffalo WSR	CVE-2021-20090	Relative Path Traversal
Atlassian Confluence Server and Data Center	CVE-2021-26084	Remote Code Execution
Hikvision Webserver	CVE-2021-36260	Command Injection
Sitecore XP	CVE-2021-42237	Remote Code Execution
F5 Big-IP	CVE-2022-1388	Remote Code Execution
Apache	CVE-2022-24112	Authentication Bypass by Spoofing
ZOHO	CVE-2021-40539	Remote Code Execution
Microsoft	CVE-2021-26857	Remote Code Execution
Microsoft	CVE-2021-26858	Remote Code Execution
Microsoft	CVE-2021-27065	Remote Code Execution
Apache HTTP Server	CVE-2021-41773	Path Traversal

These state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks. For additional information on PRC state-sponsored cyber actors targeting network devices, please see https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3055748/nsa-cisa-and-fbi-expose-prc-state-sponsored-exploitation-of-network-providers-d/">People's Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.

Mitigations

NSA, CISA, and FBI urge organizations to apply the recommendations below and those listed in Appendix A.

Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and other https://www.cisa.gov/known-exploited-vulnerabilities-catalog">known exploited vulnerabilities.

Utilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised.

Block obsolete or unused protocols at the network edge.

Upgrade or replace end-of-life devices.

Move toward the Zero Trust security model.

Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity.

Appendix A

Table II: Apache CVE-2021-44228

Apache CVE-2021-44228 CVSS 3.0: 10 (Critical)

Vulnerability Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP and other JNDI related endpoints. A malicious actor who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Recommended Mitigations

Apply patches provided by vendor and perform required system updates.

Detection Methods

See vendor's https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" style="color:#0563c1; text-decoration:underline">Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability.

Vulnerable Technologies and Versions

There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, check https://nvd.nist.gov/vuln/detail/CVE-2021-44228" style="color:#0563c1; text-decoration:underline">https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

Table III: Pulse CVE-2019-11510

Pulse CVE-2019-11510 CVSS 3.0: 10 (Critical)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor could send a specially crafted URI to perform an arbitrary file reading vulnerability.

Recommended Mitigations

Apply patches provided by vendor and perform required system updates.

Detection Methods

Use CISA's "Check Your Pulse" Tool.

Vulnerable Technologies and Versions

Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4

Table IV: GitLab CVE-2021-22205

GitLab CVE-2021-22205 CVSS 3.0: 10 (Critical)

Vulnerability Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in a remote command execution.

Recommended Mitigations

Update to 12.10.3, 13.9.6, and 13.8.8 for GitLab.

Hotpatch is available via GitLab.

Detection Methods

Investigate logfiles.

Check GitLab Workhorse.

Vulnerable Technologies and Versions

Gitlab CE/EE.

Table V: Atlassian CVE-2022-26134

Atlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1.

Recommended Mitigations

Immediately block all Internet traffic to and from affected products AND apply the update per vendor instructions.

Ensure Internet-facing servers are up-to-date and have secure compliance practices.

Short term workaround is provided https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html" style="color:#0563c1; text-decoration:underline">here.

Detection Methods

N/A

Vulnerable Technologies and Versions

All supported versions of Confluence Server and Data Center

Confluence Server and Data Center versions after 1.3.0

Table VI: Microsoft CVE-2021-26855

Microsoft CVE-2021-26855 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Microsoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity.

Recommended Mitigations

Apply the appropriate Microsoft Security Update.

Microsoft Exchange Server 2013 Cumulative Update 23 (KB5000871)

Microsoft Exchange Server 2016 Cumulative Update 18 (KB5000871)

Microsoft Exchange Server 2016 Cumulative Update 19 (KB5000871)

Microsoft Exchange Server 2019 Cumulative Update 7 (KB5000871)

Microsoft Exchange Server 2019 Cumulative Update 8 (KB5000871)

Restrict untrusted connections.

Detection Methods

Analyze Exchange product logs for evidence of exploitation.

Scan for known webshells.

Vulnerable Technologies and Versions

Microsoft Exchange 2013, 2016, and 2019.

Table VII: F5 CVE-2020-5902

F5 CVE-2020-5902 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

Recommended Mitigations

Apply FY BIG-IP Update.

Restrict access to the configuration utility.

Detection Methods

Use F5's https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/" style="color:#0563c1; text-decoration:underline">CVE-2020-5902 IoC Detection Tool.

Additional detection methods can be found at https://support.f5.com/csp/article/K52145254" style="color:#0563c1; text-decoration:underline">https://support.f5.com/csp/article/K52145254.

Vulnerable Technologies and Versions

F5 Big-IP Access Policy Manager

F5 Big-IP Advanced Firewall Manager

F5 Big-IP Advanced Web Application Firewall

F5 Big-IP Analytics

F5 Big-IP Application Acceleration Manager

F5 Big-IP Application Security Manager

F5 Big-IP Ddos Hybrid Defender

F5 Big-IP Domain Name System (DNS)

F5 Big-IP Fraud Protection Service (FPS)

F5 Big-IP Global Traffic Manager (GTM)

F5 Big-IP Link Controller

F5 Networks Big-IP Local Traffic Manager (LTM)

F5 Big-IP Policy Enforcement Manager (PEM)

F5 SSL Orchestrator

References

https://support.f5.com/csp/article/K00091341" style="color:#0563c1; text-decoration:underline">https://support.f5.com/csp/article/K00091341

https://support.f5.com/csp/article/K07051153" style="color:#0563c1; text-decoration:underline">https://support.f5.com/csp/article/K07051153

https://support.f5.com/csp/article/K20346072" style="color:#0563c1; text-decoration:underline">https://support.f5.com/csp/article/K20346072

https://support.f5.com/csp/article/K31301245" style="color:#0563c1; text-decoration:underline">https://support.f5.com/csp/article/K31301245

https://support.f5.com/csp/article/K33023560" style="color:#0563c1; text-decoration:underline">https://support.f5.com/csp/article/K33023560

https://support.f5.com/csp/article/K43638305" style="color:#0563c1; text-decoration:underline">https://support.f5.com/csp/article/K43638305

https://support.f5.com/csp/article/K52145254" style="color:#0563c1; text-decoration:underline">https://support.f5.com/csp/article/K52145254

https://support.f5.com/csp/article/K82518062" style="color:#0563c1; text-decoration:underline">https://support.f5.com/csp/article/K82518062

Table VIII: VMware CVE-2021-22005

VMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on

Let's not argue. Let's network!

Print

Go Up Pages1

User actions

Print