Yesterday, US-CERT released an advisory on hackers affiliated with China’s Ministry of State Security (MSS) targeting government agencies and private companies through recent high-profile vulnerabilities with readily available open-source exploits. Some of the exploits include:
- CVE-2020-5902 – F5 Big-IP Vulnerability
- CVE-2019-19781 – Citrix Virtual Private Network (VPN) Appliances
- CVE-2019-11510 – Pulse Secure VPN Servers
- CVE-2020-0688 – Microsoft Exchange Server
After a successful exploitation, the attackers download a variety of tools such as Cobalt Strike, the China Chopper web shell and Mimikatz. With these tools, the attacker can run scripts or commands on the infected machines, modify or exfiltrate files and dump Windows credentials for further compromise.
Analyst Notes
The methods of compromise in this scenario are all leveraging publicly available exploits for vulnerabilities that have patches available. Binary Defense highly recommends patching all vulnerable appliances listed as soon as possible to prevent possible intrusions. Organizations should have a patch management plan in place to protect themselves from known vulnerabilities. More in-depth detail and links to each security advisory for the individual products can be found in the full advisory by US-CERT.
Source: https://us-cert.cisa.gov/ncas/alerts/aa20-258a
