NSA, CISA, and the FBI revealed today the top security vulnerabilities most exploited by hackers backed by the People’s Republic of China (PRC) to target government and critical infrastructure networks.
The three federal agencies said in a joint advisory that Chinese-sponsored hackers are targeting U.S. and allied networks and tech companies to gain access to sensitive networks and steal intellectual property.
“NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks,” the advisory says.
“This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).”
The advisory also bundles recommended mitigations for each of the security flaws most exploited by Chinese threat actors, as well as detection methods and vulnerable technologies to help defenders spot and block incoming attack attempts.
The following security vulnerabilities have been the top most exploited by Chinese-backed state hackers since 2020, according to the NSA, CISA, and the FBI.
Vendor
CVE
Vulnerability Type
Apache Log4j
CVE-2021-44228
Remote Code Execution
Pulse Connect Secure
CVE-2019-11510
Arbitrary File Read
GitLab CE/EE
CVE-2021-22205
Remote Code Execution
Atlassian
CVE-2022-26134
Remote Code Execution
Microsoft Exchange
CVE-2021-26855
Remote Code Execution
F5 Big-IP
CVE-2020-5902
Remote Code Execution
VMware vCenter Server
CVE-2021-22005
Arbitrary File Upload
Citrix ADC
CVE-2019-19781
Path Traversal
Cisco Hyperflex
CVE-2021-1497
Command Line Execution
Buffalo WSR
CVE-2021-20090
Relative Path Traversal
Atlassian Confluence Server and Data Center
CVE-2021-26084
Remote Code Execution
Hikvision Webserver
CVE-2021-36260
Command Injection
Sitecore XP
CVE-2021-42237
Remote Code Execution
F5 Big-IP
CVE-2022-1388
Remote Code Execution
Apache
CVE-2022-24112
Authentication Bypass by Spoofing
ZOHO
CVE-2021-40539
Remote Code Execution
Microsoft
CVE-2021-26857
Remote Code Execution
Microsoft
CVE-2021-26858
Remote Code Execution
Microsoft
CVE-2021-27065
Remote Code Execution
Apache HTTP Server
CVE-2021-41773
Path Traversal
Mitigation measures
NSA, CISA, and FBI also urged U.S. and allied governments, critical infrastructure, and private sector orgs to apply the following mitigation measures to defend against Chinese-sponsored cyber-attacks.
The three federal agencies advise organizations to apply security patches as soon as possible, use phishing-resistant multi-factor authentication (MFA) whenever possible, and replace end-of-life network infrastructure no longer receiving security patches.
They also recommend moving towards the Zero Trust security model and enabling robust logging on internet-exposed services to detect attack attempts as soon as possible.
Today’s joint advisory follows two others that shared information on tactics, techniques, and procedures (TTPs) used by Chinese-backed threat groups (in 2021) and publicly known vulnerabilities they exploit in attacks (in 2020).
In June, they also revealed that Chinese state hackers had compromised major telecommunications companies and network service providers to steal credentials and harvest data.
On Tuesday, the U.S. Government also issued an alert about state-backed hackers stealing data from U.S. defense contractors using a custom CovalentStealer malware and the Impacket framework.
