US Government issues a Joint Advisory on vulnerabilities currently being targeted by Chinese intelligence services.
Top CVEs exploited by China.
The US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) have issued a joint advisory on the top vulnerabilities being targeted by Chinese state-sponsored threat actors. These include CVE-2021-44228 in Apache Log4j, CVE-2019-11510 in Pulse Connect Secure, CVE-2021-22205 affecting GitLab, CVE-2022-26134 in Atlassian Confluence Server and Data Center, and CVE-2021-26855 in Microsoft Exchange Server.
The full list of vulnerabilities, including recommended mitigations, can be found in the report. Most of the CVEs can be solved by applying patches or updating to the latest version, and the alert also offers advice on configuring certain products to mitigate risks. It’s working-level advice. It won’t hold the interest of political scientists and international relations experts interested in Beijing’s goals, motives, and policies, but there’s more than enough there to keep CISOs, SOCs, IT personnel and the C-suites and boards they work for informed and busy. Reading it will well-repay their time.
Advice from industry: pay attention to the basics.
Simon Kun, Security Automation Architect at Swimlane, on Thursday offered the following comments on the advisory:
“Today’s joint advisory released by the National Security Agency (NSA), Cybersecurity and Infrastructure Agency (CISA), and Federal Bureau of Investigation (FBI) is the latest reminder of the risk posed to U.S. and allied networks by malicious cyber actors seeking to exploit vulnerabilities and steal intellectual property.
“Unfortunately, both nation-states and criminal groups continue to take advantage of vulnerable critical infrastructure operations by targeting weaknesses. While this guidance is a step in the right direction to help organizations take actionable measures against specific threat actors, it unfortunately also seems to demonstrate a lagging patch cycle and how even large, known vulnerabilities are not being addressed and patched accordingly.
“As People’s Republic of China’s state-sponsored cyber actors continue to threaten these essential assets, companies must reevaluate their cybersecurity posture in order to remain secure. Implementing multi-faceted cybersecurity systems that automate detection, response and investigation protocols and allow for complete visibility into IT ecosystems with the ability to comprehend and thwart malicious threats in real time, before cybercriminals are able to take over, are essential in the fight. By automating and centralizing security processes using low-code automation that is ultimately stored in a system-of-record, IT teams are granted full monitoring capabilities, ultimately ensuring that critical day-to-day processes remain undisturbed.”
Many of these vulnerabilities have been, KnowBe4's Erich Kron writes, known for some time. They're not novel and they've for the most part been adequately patched. “Many of the vulnerabilities have been known and labeled as critical for months or even years, however our adversaries are still able to find and exploit the unpatched systems," he points out. "This highlights the need for organizations, especially those likely to be targeted by nation-states, to have a robust and active vulnerability management and patching program in place. This should apply to internal systems as well as those that are internet connected as bad actors often exploit vulnerable systems within networks to elevate privileges or move around within the network."