It turns out that a Chinese hacker was attacking the U.S. government using vulnerabilities such as Microsoft Exchange Server



On September 14, 2020, the US Cyber Security and Infrastructure Security Agency (CISA) issued a security advisory regarding attacks carried out by hacking groups linked to China's National Security Department. In addition to Microsoft Exchange Server, the hacking group is using vulnerabilities such as

Pulse Secure , Citrix VPN, and F5 Networks ' BIG-IP product series to attack government agencies and private companies.

Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity | CISA
https://us-cert.cisa.gov/ncas/alerts/aa20-258a



Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs | Threatpost
https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/

Hackers Connected to China Have Compromised US Government Systems, CISA says --Nextgov
https://www.nextgov.com/cybersecurity/2020/09/hackers-connected-china-have-compromised-us-government-systems-cisa-says/168455/

US govt: China-sponsored hackers targeting Exchange, Citrix, F5 flaws
https://www.bleepingcomputer.com/news/security/us-govt-china-sponsored-hackers-targeting-exchange-citrix-f5-flaws/

According to CISA recommendations, hacking groups first use device search engines such as Shodan , Common Vulnerabilities and Exposures (CVE), and National Vulnerability Database (NVD) to find vulnerable devices. ..

The main targeted vulnerabilities confirmed by CISA are as follows.

CVE-2020-5902 (F5 BIG-IP)
CVE-2019-19781 (Citrix)
CVE-2019-11510 (Pulse Secure)
-CVE-2020-0688 (Microsoft Exchange Server)

After connecting to the network through the vulnerability, the hacking group uses an attack framework called ' Cobalt Strike ', a web shell ' China Chopper ', and tools such as ' Mimikatz ' to obtain administrator credentials. He said he was trying to get full control of. CISA also reported that it was using Microsoft Exchange Server 'CVE-2020-0688' to collect emails from federal agencies' servers, to the organizational networks and data collected by hackers. Some of the accesses have been successful.

'If a critical vulnerability is not patched, an attacker can succeed without having to develop custom malware or seek out previously undiscovered vulnerabilities,' CISA said. He said that he called on government agencies and private companies to apply patches to prevent the above vulnerabilities from being exploited.



On the other hand, the hacking group is attacking by various methods other than targeting device vulnerabilities, including conventional spear phishing and brute force attacks targeting weak credentials, CISA said. Is warning.

CISA's Terence Jackson also states that CISA's advice 'lights up the fact that organizations need to keep patch management up to date.' Jackson (PDF file) referred to a Check Point Research report , with 80% of the attacks reported in the first half of 2020 exploiting vulnerabilities registered by 2017, 20% of the total. I pointed out that the above exploited the vulnerabilities reported more than 7 years ago.

in Security, Posted by darkhorse_log