Chinese Campaign exploits Network Providers and Devices Worldwide
Nearly two months ago, on the 7th of June, CISA published Alert (AA22-158A).
This alert describes the ways in which Chinese state-sponsored cyber actors exploit known vulnerabilities to establish an extensive network of compromised worldwide infrastructure.
These actors use the network to exploit targets worldwide, including public and private sector organisations. The alert documentation details the targeting of major telecommunications companies and network service providers and the top vulnerabilities associated with network devices routinely exploited by cyber actors.
PRC state-sponsored cyber actors have conducted widespread campaigns to exploit Common Vulnerabilities and Exposures rapidly. This technic allows the actors to gain access to victim accounts using publicly available exploit code against virtual private network (VPN) services or public-facing applications without using their own characteristic malware.
Network equipment such as Small Office/Home Office routers and Network Attached Storage devices serve as access points for Command and Control as well as midpoints to conduct network intrusions against other users. High severity vulnerabilities for network devices exposed in recent years provided these malicious actors with the ability to exploit and gain access to popular devices often overlooked by cyber defenders, who find it hard to keep up with the routine patching of internet-facing services and endpoint devices.
PRC-sponsored actors normally conduct their intrusions by accessing compromised servers called hop points from various China-based Internet Protocol (IP) addresses resolving to different Internet Service Providers (ISPs) located in China. They use these servers to register and access operational email accounts, host C2 domains, and interact with target networks. These rouge actors use these hop points as an obfuscation technique.
These cybercriminals have also elaborated tactics to bypass defenses. The agencies – NSA, CISA and the FBI – have discovered state-sponsored cyber actors monitoring network defenders’ accounts and actions and skilfully adapting their campaigns to stay undetected. Cybercriminals notoriously modify their infrastructure and toolsets after releasing information related to their ongoing campaigns. PRC state-sponsored cyber actors often combine their customised toolsets with tools native to the network environment to obfuscate their activity and blend into the noise of regular network activity.
The agencies urge IT users to apply the following general mitigation:
- Keep systems and products updated and patched as soon as possible after patches are released. Consider leveraging a centralized patch management system to automate and expedite the process.
- Immediately remove or isolate suspected compromised devices from the network.
- Segment networks to limit or block lateral movement.
- Disable unused or unnecessary network services, ports, protocols, and devices.
- Enforce multifactor authentication (MFA) for all users, without exception.
- Enforce MFA on all VPN connections. If MFA is unavailable, enforce password complexity requirements.
- Implement strict password requirements, enforce password complexity, change passwords at a defined frequency, and perform regular account reviews to ensure compliance.
- Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures.
- Disable external management capabilities and set up an out-of-band management network.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network.
- Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.
- Ensure that you have dedicated management systems and accounts for system administrators. Protect these accounts with strict network policies.
- Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions.
- Upon responding to a confirmed incident within any portion of a network, response teams should scrutinize network infrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.