Rewterz Threat Alert – Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities

Severity

High

Analysis Summary

In an advisory, the NSA informed of targeted attacks by Chinese state-sponsored hackers. Twenty-five publicly disclosed vulnerabilities are being exploited to gain access to networks, deploy malicious mobile apps, and spread laterally through a system while attackers steal sensitive data.

Exploit secure remote access: To gain access to networks, Chinese threat actors utilize seven different vulnerabilities, many of which also provide credentials that can be used to spread further on the network.

• CVE-2019-11510– A Pulse Secure VPN vulnerability that allows an unauthenticated attacker to gain access to VPN credentials.
• CVE-2020-5902 – A F5 BIG-IP® 8 proxy / load balancer remote code execution vulnerability.
• CVE-2019-19781 – A Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability, which can lead to remote code execution without credentials.
• CVE-2020-8193 – Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP vulnerability allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users.
• CVE-2020-8195 and CVE-2020-8196 – Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP vulnerability allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users.
• CVE-2019-0708 – The Windows BlueKeep Remote Desktop Service vulnerability allows unauthenticated users to perform remote code execution.

Exploit Mobile Device Management (MDM): By compromising MDM servers, threat actors can push out malicious mobile apps or change device configurations that send traffic through attacker-controlled proxy servers or hosts. 

• CVE-2020-15505 – A remote code execution vulnerability in the MobileIron 13 mobile device management (MDM)

Exploit Active Directory for Lateral Movement and Credential Access: 

• CVE-2020-1472 – The critical 10/10 Windows ZeroLogon Netlogon elevation of privilege vulnerability allows threat actors to quickly gain access to domain administrator credentials on a domain controller. From there, they can harvest sensitive data or deploy malware, such as ransomware. 
• CVE-2019-1040 – A Windows NTLM vulnerability allows attackers to reduce the built-in security for the Windows operating system.

Exploit public-facing servers: Attackers use these vulnerabilities to bypass authentication in web servers, email servers, or DNS to remotely execute commands on the internal network. For compromised web servers, attackers can utilize them in watering-hole attacks to target future visitors. 

• CVE-2020-1350 – The Windows DNS server SigRed vulnerability allows attackers to spread laterally through a network. 
• CVE-2018-6789 – An Exim mail server vulnerability allows unauthenticated, remote code execution. 
• CVE-2018-4939 – Adobe ColdFusion 14 vulnerability that could lead to arbitrary code execution.

Exploit internal servers: These vulnerabilities are used to spread laterally throughout a network and gain access to internal servers, where the attackers can steal valuable data. 

• CVE-2020-0688– A Microsoft Exchange vulnerability that allows authenticated users to perform remote code execution. 
• CVE-2015-4852 – The WLS Security component in Oracle WebLogic15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java16 object. 
• CVE-2020-2555– A vulnerability exists in the Oracle® Coherence product of Oracle Fusion® Middleware.
• CVE-2019-3396– A server-side template injection vulnerability is present in the Widget Connector in Atlassian Confluence servers that allows remote attackers to perform remote code execution and path traversal. 
• CVE-2019-11580 – Attackers who can send requests to an Atlassian® Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, permitting remote code execution. This vulnerability was used in GandCrab ransomware attacks in the past. 
• CVE-2020-10189 – Zoho ManageEngine 18 Desktop Central vulnerability allows remote code execution. This bug was used in attacks to deploy backdoors. 
• CVE-2019-18935 – A vulnerability in Telerik 19 UI for ASP.NET AJAX can lead to remote code execution. It was seen used by a hacker group named ‘Blue Mockingbird’ to install Monero miners on vulnerable servers but could be used to spread laterally as well.

Exploit user work workstations for local privilege escalation: When an attacker gains access to a workstation, their ultimate goal is to gain administrative credentials or privileges. Using these vulnerabilities, a hacker can elevate their privileges to SYSTEM or administrator access. 

• CVE-2020-0601 – A Windows CryptoAPI Spoofing vulnerability discovered by the NSA allows attackers to spoof code-signing certificates to make malicious executables appear to be signed by a legitimate trusted company. 
• CVE-2019-0803– An elevation of privilege vulnerability exists in Windows® when the Win32k component fails to properly handle objects in memory.  

Exploit network devices: This final bucket of vulnerabilities allows attackers to monitor and modify network traffic as it flows over the device.  

• CVE-2017-6327 – The Symantec 22 Messaging Gateway can encounter a remote code execution issue. 
• CVE-2020-3118 – A Cisco ‘CDPwn’ vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS 23 XR Software could allow remote code execution. 
• CVE-2020-8515 – DrayTek Vigor 24 devices enable remote code execution as root (without authentication) via shell metacharacters. 
  As Chinese state-sponsored hackers have been seen utilizing a combination of these vulnerabilities, it is strongly advised that all administrators patch them as soon as possible.

Impact

• Unauthorized Access
• Information Theft
• Remote Code Execution
• Privilege Escalation

Remediation

• Make sure all assets are protected against the vulnerabilities listed in this advisory. 
• Keep all systems and software updated to latest patched versions.