Third Party Risk Management, Critical Infrastructure Security, Cyber Warfare/Nation State Attacks
CISA, FBI, and NSA detail TTPs, major exploited flaws, mitigations
Prajeet Nair (@prajeetspeaks) •
June 8, 2022
Chinese state-sponsored threat actors are exploiting known vulnerabilities to target public and private companies in the United States, the According to the US Cybersecurity and Infrastructure Security Agency.
See also: Cat by the fire | Zero tolerance: control the landscape where you will meet your opponents
A related joint advisory from CISA, the FBI, and the National Security Agency explains how cyberattackers have been compromising “major telecommunications companies and network service providers” since 2020. It outlines their tactics, techniques, and procedures; lists top vulnerabilities, especially CVEs, in network devices that are regularly exploited; and offers recommended mitigation measures.
ICYMI: Our latest joint notice of @CISAgov, @FBI & @NSACyber stark reminder that Chinese state-sponsored cyber actors continue to relentlessly target vulnerabilities around the world. Learn more about TTPs and steps to mitigate your risk: https://t.co/4PC98B25eH pic.twitter.com/aptbQq5TnY
— Jen Easterly (@CISAJen) June 8, 2022
Tactics, techniques and procedures
Attackers exploited vulnerabilities in unpatched network devices, the joint advisory states. “Network devices, such as small office/home office routers and network-attached storage (NAS) devices, serve as additional access points to route command and control traffic and act as intermediate points to conduct network intrusions of other entities,” the report said.
In recent years, several high-severity network device vulnerabilities have allowed threat actors to gain access to vulnerable infrastructure devices, according to the advisory, which states that the flaws were “often overlooked by cyber-attackers.” defenders, who find it difficult to maintain and follow the rhythm of the routine”. Internet services and endpoint device software patch. »
The attackers also used publicly available exploits instead of their own malware on virtual private network services and other public applications, the advisory said.
It says they accessed “jump points” or compromised servers from China-based IP addresses through multiple internet service providers for obfuscation purposes when interacting with the victims. According to the notice, hackers rent these servers from web hosts and use them to register and access email accounts and C2 domains and to contact victims.
To bypass defenses and stay undetected, attackers monitor victims’ network accounts and modify their campaigns accordingly to avoid raising suspicion, the advisory said, adding that some have also modified their infrastructure and tools if these details are made public.
“PRC state-sponsored cyber actors often mix their custom toolset with publicly available tools, especially leveraging tools native to the network environment, to obfuscate their activity based on noise or normal network activity,” the notice reads.
Open source tools used
Attackers use open source tools, such as RouterSploit and RouterScan, to explore known vulnerabilities to exploit, the joint advisory said. RouterSploit is a dedicated framework for embedded devices, while RouterScan scans IP addresses for vulnerabilities. They have already been used to target SOHO routers and other routers made by Cisco, Fortinet and MikroTik.
Once threat actors enter the system, they target users and infrastructure that oversee the security of “authentication, authorization, and accounting,” the advisory states.
“After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, cyber actors obtained credentials to access the underlying Structured Query Language database … and used commands SQL to dump credentials…, which contained both plaintext and hashed passwords for user and administrator accounts,” it says.
Attackers use these credentials to customize automated scripts that can authenticate routers via Secure Shell, run router commands and log output, the advisory says, adding that custom scripts have previously targeted Cisco and Juniper routers recording the output of commands executed for each router.
After capturing the command’s output, these configurations are transferred out of the network and onto the attackers’ infrastructure. It is believed that additional scripts are used to automate the exploitation of larger victim networks containing many routers and switches to bring together the huge number of router configurations needed to manipulate traffic within the network.
By using access to credentials and accounts, attackers establish a long-term foothold in systems that allows them to exfiltrate traffic out of the compromised network.
The CISA, FBI, and NSA have listed the following mitigations:
- Patch and update systems and products,
- Automate patch management processes.
- Isolate or remove compromised devices from the network;
- Segment the network to curb the lateral movements of threat actors;
- Disable unnecessary network services, protocols, devices and ports;
- Use MFA for all users, including VPN connections;
- Advise and enforce complex password requirements.
- Back up data and maintain up-to-date incident response and recovery procedures.
- Disable external management features and configure an out-of-band management network.
- Log services accessible on the Internet and monitor them for any signs of compromise.
China has the most blocked requests, says Peter Lee, a security engineer at Israeli network security firm Cato Networks. He says, “Blocking requests from China is no substitute for properly securing your environment, but it is a matter of defender economics. By blocking requests from China, you force the attacker to use a slightly more expensive.”