Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/27/2020
05:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows

Following the NSA's list of 25 security flaws often weaponized by Chinese attackers, researchers evaluated how they're used around the world.



The 25 vulnerabilities most commonly scanned for and targeted by Chinese nation-state attackers were exploited seven times more often than other flaws in the past six months, researchers report in their analysis of a list published by the US National Security Agency (NSA).

Related Content:

Microsoft's Kubernetes Threat Matrix: Here's What's Missing

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Teach Your Employees Well: How to Spot Smishing & Vishing Scams

NSA officials released a cybersecurity advisory detailing vulnerabilities most frequently used in Chinese state-sponsored cyber activity, which they consider "one of the greatest threats" to US National Security Systems, US Defense Industrial Base, and Department of Defense information networks. This activity often employs a range of tactics to target networks for sensitive intellectual property and economic, political, and military data.

Most of the flaws on its list can be exploited to gain access to victim networks using products that are directly accessible from the Internet and can act as gateways into internal networks. Many of the products are popular; many are used for remote access or external Web services.

Check Point researchers curious about the global impact of these vulnerabilities turned to its threat intelligence tools to evaluate how they're being weaponized. They found these attacks targeted 161 countries around the world, primarily in the US (500,000+ attacks) but also in Germany, the United Kingdom, Indonesia, and the Netherlands, their data shows.

"Following the NSA report, we wanted to see what's going on worldwide on attacks targeting those vulnerabilities, as those are on high-profile products, such as Microsoft, Adobe, and the majority of them may have severe impact," says Adi Ikan, group manager for Check Point's network research and protection team.

Attacks were also seen across industries. Government and military targets were most common in attacks using these vulnerabilities, as were retail/wholesale, manufacturing, and finance. In the US, nearly 30% of attacks targeted government and military victims, which researchers say is 31% more compared with the rest of the world. Ikan notes government and military were also often targeted in Spain, Canada, and Denmark.

Three key reasons could explain the increased use of these flaws, he says. Some are easy to exploit — such as the remote code execution vulnerability in the Atlassian Confluence Server (CVE-2019-3396) — which increases the likelihood they'll be exploited more often. Flaws that cause severe impact are more attractive to attackers, as are vulnerabilities in high-profile tools that could boost the number of potentially affected systems.

There were five flaws exploited more often than others. One of these was critical DrayTek Vigor Command Injection vulnerability CVE-2020-8515, which could allow remote code execution without authentication in DrayTek Vigor VPN routers. Microsoft Windows NTLM Authentication Bypass flaw (CVE-2019-1040) is a tampering vulnerability that exists in Windows when a man-in-the-middle attackers can bypass the NTLM Message Integrity Check (MIC) protection.

Check Point's top five also included CVE-2019-19781, a bug in Citrix Application Delivery Controller and Gateway that could allow directory traversal and lead to remote code execution without credentials. An unauthenticated remote attacker could exploit Pulse Secure VPN flaw CVE-2019-11510 to do an arbitrary file reading and expose keys or passwords. A critical remote code execution flaw in F5 BIG-IP proxy/load balancer devices (CVE-2020-5902) could enable an attacker with access to the Traffic Management User Interface to execute commands.

If You Aren't Patching, You Should Be
NSA officials urge public and private organizations to patch these vulnerabilities immediately.

"NSA recommends that critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage," the advisory states. All network defenders are urged to take action.

Organizations should expect that credentials, accounts, software, and other data stolen or modified before a device was patched won't be fixed by patching; therefore, password changes and account reviews should be regular. The NSA also advises disabling external management capabilities and setting up an out-of-band management network to mitigate risk, as well as blocking unused protocols at the network edge and disabling them in device configurations.

While these attacks can cause major damage and businesses are advised to apply these patches as quickly as possible, Ikan acknowledges it's not always easy for organizations to stay updated with security fixes.

"[A] potential challenge that organizations may face when patching is related to the operational side," he says. "It may require significant efforts and operation to patch all systems as ongoing efforts, especially in cases like patching all the computers within the organization."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Moderator
10/28/2020 | 11:21:48 AM
Thanks for this article.
Thanks for the heads up on the NSA list of 25 security flaws most often exploited by Chinese hackers. It is very helpful to see at a glance what CVE's are globally hot and therefore top of list for remediation. Really appreciate your article.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...