A joint publication coauthored by the National Security Agency (NSA), Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) was released on 7 June 2022 about the People’s Republic of China State-Sponsored activities.
State-Sponsored actors have been exploiting Common Vulnerabilities and Exposures (CVEs) that are related to network devices. The vulnerabilities that these actors are exploiting are documented, and should be patched immediately if they have not already been addressed. The majority of these vulnerabilities revolve around Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices which are used to route traffic to command and control (C2) servers maintained by attackers.
The State-Sponsored actors have leveraged open-source tools for reconnaissance and vulnerability scanning to identify the specific makes and models of vulnerable devices. Once the vulnerability is exploited and the actors have initial access they target Remote Authentication Dial-In User Service (RADIUS) servers. The actors attempt to access Structured Query Language (SQL) databases to access stored passwords, which are either hashed or in cleartext. With credentials in hand these threat actors connect to target routers using a Secure Shell (SSH) connection and run automated scripts that exfiltrate the devices configuration. The actors then connect to the target devices and reconfigure them to forward traffic to actor-controlled devices. Using port mirroring the information that is sent to the actor’s router is also sent to the local next hop as not to disturb communications. This way the actor can continue to monitor and review traffic from their remote server.
This alert highlights the importance of keeping devices up to date and patched in order to protect your information.
Pictured below is a table showing the vendor, CVE, and vulnerability type from the CISA alert.
Mitigation recommendations provided by the NSA, CISA, and the FBI include:
- Keeping systems up to date and patched.
- Removing or isolating suspected compromised devices from the network.
- Segment networks to limit lateral movement.
- Disable unused or unnecessary network ports.
- Enforce multifactor authentication.
- Perform regular data backup procedures and maintain an up-to-date incident response and recovery plan.
- Disable external management capabilities and set up an out-of-band management (oobm) network.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ).
- Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.
- Ensure that you have dedicated management systems and accounts for system administrators. Protect these accounts with strict network policies.
- Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions.
- Upon responding to a confirmed incident within the network, response teams should scrutinize the network infrastructure access, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee. gotowebinar. com/register/3702558539639477516
Comments