Threat Watch

Attackers Are Using These Flaws to Target VPNs and Network Devices

The US is warning that hackers working for China have been exploiting publicly known flaws in network devices as part of broader attacks to steal and manipulate network traffic. The National Security Agency (NSA), Federal Bureau of Investigations (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) have listed 16 flaws in network device software from 10 brands including Cisco, Fortinet, Netgear, MikroTik, Pulse Secure, and Citrix that were publicly disclosed between 2018 and 2021. Most of the flaws are rated as critical. These flaws are the ones most frequently exploited by hackers backed by the People’s Republic of China (PRC) since 2020, according to the agencies. “Since 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities,” the agencies warn. “This technique has allowed the actors to gain access into victim accounts using publicly available exploit code against Virtual Private Network (VPN) services or public-facing applications – without using their own distinctive or identifying malware – so long as the actors acted before victim organizations updated their systems.”

The warning concerns attacks exploiting bugs affecting small business routers, Network-Attached Storage (NAS) devices, and enterprise VPNs. But the agencies also detail scanning activity and compromises of specialized authentication servers used by major telecommunications companies and network service providers. Network devices like small business routers and NAS devices serve as additional access points to route the actors’ command and control (C2) traffic.

The China-backed threat actors also used open-source software exploit frameworks for routers to scan for vulnerabilities in internet-facing devices. To compromise telecommunications providers, the attackers identified critical Remote Authentication Dial-In User Service (RADIUS) servers and then used SQL commands to dump user and admin credentials from the server’s underlying database. RADIUS is a widely supported networking protocol standard for authentication, authorization, and accounting management of users accessing a network. Using credentials from the targeted RADIUS servers, the actors then employed custom automated scripts for Cisco and Juniper routers to authenticate to an affected router via Secure Shell (SSH) and execute router commands. The actors saved the output of those commands, including individual router configurations, and then moved the information to their own infrastructure. Having gained router configurations as well as valid accounts and credentials, the attackers would have been able to manipulate traffic within a targeted network and exfiltrate traffic out of it. “The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network. Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure.” 


The agencies recommend patching affected devices, removing or isolating compromised devices from the network, replacing end-of-life hardware, disabling unused or unnecessary services, ports, protocols, and devices, and enforcing multi-factor authentication “for all users, without exception.”