At a glance.
- US CISA advisory describes Chinese cyberespionage tactics, techniques, and procedures.
- Open source collection? The case of Zhenhua Data.
- Election security update.
US CISA advisory describes China's Ministry of State Security cyberespionage tactics, techniques, and procedures.
The US Cybersecurity and Infrastructure Security Agency has released an advisory on the activities of China’s Ministry of State Security and its associated agencies and contractors. These operations are characterized by collection of open-source intelligence and by the use of readily available exploits. The tactics, techniques, and procedures aren't particularly exotic, but they've proven effective.
The Ministry of State Security has tended to concentrate on recently identified vulnerabilities, hoping to catch organizations that have been laggard in patching. Some of the issues exploited include Microsoft Exchange Server (CVE-2020-0688), F5’s Big-IP remote takeover vulnerability (CVE-2020-5902), Pulse Secure VPN's remote code flaw (CVE-2019-11510) and Citrix VPN’s directory traversal problem (CVE-2019-19781).
The gap between disclosure and exploitation has fallen, and in many cases is now a matter of days. “CISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure,” the agency said. “This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors.”
The knowledge that intelligence services are watching and probing should lend urgency to patching. As CISA puts it, “Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks. If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.”
Intelligence Community News has a useful, brief, general account of why open-source intelligence (OSINT) is valuable.
Zhenhua Data's collection may be marketing or it may be espionage, but it's not clear it's illegal.
Investigations into the database leaked from Zhenhua Data continue. The Guardian describes how Canberra-based Internet 2.0 was able to extract information from the (corrupted) files. Zhenhua maintains that there’s nothing particularly sinister about the database: essentially, it’s marketing data. The Australian government’s reaction to the incident has been subdued, but the Labor Party has called upon the Information Commissioner to open an investigation. Reaction from India’s government has been similarly low-key. Since the information was publicly available, the Economic Times reports, the government’s view is that in this case there’s no question of either surveillance or espionage.
US election security update: influence operations, but not much evidence of attempts to hack the vote itself.
CSO Magazine has an account of presentations on US election security delivered at last week’s Billington Cybersecurity Summit. The speakers, for the most part either Federal or state officials concerned with the conduct and security of November’s elections, said they’d seen and continue to see a great deal of influence operations, much of it emanating from Russia, but that there had been little to no evidence of direct compromise of the voting apparatus itself, of the devices and systems that record, transmit, and tally the vote.
Iran, for its part, has said that its mention in Microsoft's list last week of countries attempting to influence the US vote is "absurd." As reported by SecurityWeek, Tehran's denial is essentially a tu quoque (that is, yeah, well, you're in no position to talk, buddy): "The United States, which has for decades been meddling in the elections of other countries such as Iran, is in no place to make such absurd claims," a Foreign Ministry spokesman said, adding that Iran doesn't really care who's in the White House. It just wants the Americans to behave themselves.