CISA Says Chinese Cyberattackers Are Targeting US TelcosCISA, FBI and NSA Detail TTPs, Top Exploited Flaws, Mitigation Measures
Chinese state-sponsored threat actors are exploiting known vulnerabilities to target public and private companies in the United States, the U.S. Cybersecurity and Infrastructure Security Agency says.
A related joint advisory from CISA, the FBI and the National Security Agency discusses how cyberattackers have been compromising "major telecommunications companies and network service providers" since 2020. It describes their tactics, techniques and procedures; lists the top vulnerabilities, especially CVEs, in network devices that are regularly exploited; and offers recommended mitigations.
ICYMI: Our latest joint advisory from @CISAgov, @FBI & @NSACyber serves as a stark reminder that China state-sponsored cyber actors continue to relentlessly target vulnerabilities worldwide. Learn about TTPs & steps you should take to mitigate your risk: https://t.co/4PC98B25eH pic.twitter.com/aptbQq5TnY— Jen Easterly (@CISAJen) June 8, 2022
Tactics, Techniques and Procedures
The attackers exploited vulnerabilities in unpatched network devices, the joint advisory says. "Network devices, such as small office/home office routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control traffic and act as midpoints to conduct network intrusions on other entities," it says.
In the past few years, several high-severity network device vulnerabilities have enabled the threat actors to access vulnerable infrastructure devices, according to the advisory, which says the flaws were "often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices."
The attackers also used publicly available exploits instead of their own malware on virtual private network services and other public-facing applications, the advisory says.
It says they accessed "hop points" or compromised servers from China-based IP addresses via multiple internet service providers for obfuscation purposes when they interacted with victims. According to the advisory, the threat actors lease these servers from hosting providers and use them to register and access operating email accounts and C2 domains and to contact victims.
To bypass defenses and remain undetected, the attackers monitor the victims' network accounts and modify their campaigns accordingly to avoid raising suspicion, the advisory says, adding that some have also modified their infrastructure and tool sets if those details get released to the public.
"PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network," the advisory says.
Open-Source Tools Used
The attackers use open-source tools, such as RouterSploit and RouterScan, to explore known vulnerabilities for exploitation, the joint advisory says. RouterSploit is a framework dedicated to embedded devices, while RouterScan scans IP addresses for vulnerabilities. They have previously been used to target SOHO routers and other routers manufactured by Cisco, Fortinet and MikroTik.
After the threat actors enter the system, they scope for users and infrastructure that oversee the security of "authentication, authorization, and accounting," the advisory says.
"After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language database ... and utilized SQL commands to dump the credentials ..., which contained both cleartext and hashed passwords for user and administrative accounts," it says.
The attackers use these credentials to customize automated scripts that can authenticate routers via Secure Shell, execute router commands and save the output, the advisory says, adding that customized scripts have previously targeted Cisco and Juniper routers by saving the output of the executed commands for each router.
After capturing the command output, these configurations are ported off the network and onto the attackers infrastructure. Additional scripting is believed to be used to automate exploitation of larger victim networks containing many routers and switches to gather the massive numbers of router configurations needed to manipulate traffic within the network.
Using access to credentials and accounts, the attackers establish a long-term foothold in the systems that allows them to exfiltrate traffic out of the compromised network.
CISA, the FBI and the NSA have listed the following mitigation measures:
- Patch and update systems and products,
- Automate patch management processes.
- Isolate or remove compromised devices from the network;
- Segment the network to curb lateral movement by threat actors;
- Disable unnecessary network services, protocols, devices and ports;
- Use MFA for all users, including VPN connections;
- Advise and enforce complex password requirements.
- Back up data and maintain up-to-date incident response and recovery procedures.
- Disable external management capabilities and set up an out-of-band management network.
- Log internet-facing services and monitor them for signs of compromise.
China has the most blocked requests says Peter Lee, security engineer at Israeli network security company Cato Networks. He says, "Blocking requests from China isn't a substitute for properly securing your environment, but it's all about defender economics. By blocking requests from China, you force the attacker to use a slightly more expensive infrastructure."