In an advisory, the NSA informed of targeted attacks by Chinese state-sponsored hackers. Twenty-five publicly disclosed vulnerabilities are being exploited to gain access to networks, deploy malicious mobile apps, and spread laterally through a system while attackers steal sensitive data.
Exploit secure remote access: To gain access to networks, Chinese threat actors utilize seven different vulnerabilities, many of which also provide credentials that can be used to spread further on the network.
Exploit Mobile Device Management (MDM): By compromising MDM servers, threat actors can push out malicious mobile apps or change device configurations that send traffic through attacker-controlled proxy servers or hosts.
Exploit Active Directory for Lateral Movement and Credential Access:
Exploit public-facing servers: Attackers use these vulnerabilities to bypass authentication in web servers, email servers, or DNS to remotely execute commands on the internal network. For compromised web servers, attackers can utilize them in watering-hole attacks to target future visitors.
Exploit internal servers: These vulnerabilities are used to spread laterally throughout a network and gain access to internal servers, where the attackers can steal valuable data.
Exploit user work workstations for local privilege escalation: When an attacker gains access to a workstation, their ultimate goal is to gain administrative credentials or privileges. Using these vulnerabilities, a hacker can elevate their privileges to SYSTEM or administrator access.
Exploit network devices: This final bucket of vulnerabilities allows attackers to monitor and modify network traffic as it flows over the device.