Top CVEs targeted by PRC state-sponsored cyber actors

The FBI, NSA and CISA coauthored a joint Cybersecurity Advisory detailing how People’s Republic of China (PRC) state-sponsored cyber actors continue to exploit common, publicly known vulnerabilities used since 2020 to “actively target U.S. and allied networks.”

“PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks,” CISA noted in the alert.

“PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques—some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations,” CISA added.

According to the joint cybersecurity alert, the following 20 CVEs are the most frequently attacked by the cyber actors (in order of CVE):

1. CVE-2019-11510: Pulse Connect Secure Arbitrary File Read
2. CVE-2019-19781: Citrix ADC and Gateway Path Traversal
3. CVE-2020-5902: F5 Big-IP Remote Code Execution
4. CVE-2021-1497: Cisco Hyperflex Command Line Execution
5. CVE-2021-20090: Buffalo WSR Relative Path Traversal
6. CVE-2021-22005: VMware vCenter Server Arbitrary File Upload
7. CVE-2021-22205: GitLab CE/EE Remote Code Execution
8. CVE-2021-26084: Atlassian Confluence Server and Data Center Remote Code Execution
9. CVE-2021-26855: Microsoft Exchange Server Remote Code Execution
10. CVE-2021-26857: Microsoft Exchange Server Remote Code Execution
11. CVE-2021-26858: Microsoft Exchange Server Remote Code Execution
12. CVE-2021-27065: Microsoft Exchange Server Remote Code Execution
13. CVE-2021-36260: Hikvision Webserver Command Injection
14. CVE-2021-40539: ZOHO Remote Code Execution
15. CVE-2021-41773: Apache HTTP Server Path Traversal
16. CVE-2021-42237: Sitecore XP Remote Code Execution
17. CVE-2021-44228: Apache Log4j Remote Code Execution
18. CVE-2022-1388: F5 Big-IP Remote Code Execution
19. CVE-2022-24112: Apache Authentication Bypass by Spoofing
20. CVE-2022-26134: Atlassian Remote Code Execution

We have provided a summary of a few of the more recent and well-known cyberattacks we wrote about since last year.

Exchange Server (“ProxyLogon”)

On March 2, 2021, Microsoft announced the detection of the zero-day exploits and quickly released emergency out-of-band security updates to fix multiple Critical “ProxyLogon” vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) impacting Microsoft Exchange Server 2013, 2016 and 2019.

Of special note, the security experts warned that CVE-2021-26855 can “allow an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server.”

Nearly two weeks later, cybersecurity experts warned exploits against organizations worldwide had grown ten-fold after the Microsoft Exchange Server zero-day vulnerabilities were first revealed.

Apache Log4j (“Log4Shell”)

In September, 2021, researchers had discovered a Critical 0-day vulnerability (CVE-2021-44228) in Apache Log4j logging utility that can result in remote code execution (RCE) by logging a certain string.

Moreover, researchers from LunaSec had warned the vulnerability, they dubbed “Log4Shell,” is quite easy to exploit in the wild.

“Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.”

LunaSec also warned at the time that “many, many services are vulnerable to this exploit,” such as Steam and Apple cloud services, as well as Minecraft and Apache Struts apps. They added similar vulnerabilities were exploited before such as the infamous 2017 Equifax data breach.

Attackers also used Log4Shell in cyberattacks even as recently as this year such as those from Deep Panda APT, Aquatic Panda and Java app attack campaigns.

F5 BIG-IP

In May, 2022, researchers discovered that unauthenticated attackers could exploit a Critical BIG-IP iControl REST vulnerability CVE-2022-1388 to execute arbitrary system commands, create or delete files, or disable services on BIG-IP systems.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services., F5 warned in the security advisory.

In an article posted by Threatpost, researcher Jacob Baines revealed thousands of BIG-IP systems appeared to be exposed on the internet, as recently as May 5, 2022.

Readers can check out related articles for more details on some of these exploited vulnerabilities.

Related Articles

• Alert: Attackers exploiting Pulse Connect Secure vulnerabilities (updated)
• Cybersecurity experts warn exploits grow ten-fold after Exchange Server zero-day vulnerabilities revealed
• Researchers discover Critical RCE 0-day “Log4Shell” vulnerability (CVE-2021-44228) in Apache Log4j logging utility (update)
• Cyber actors continue to exploit Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon Systems (updated)
• Millions of Java apps still vulnerable to Log4Shell
• Deep Panda APT group launches new attacks against Log4Shell vulnerability to install Fire Chili rootkits
• Palo Alto Networks: Network Security Trends report highlights common RCE vulnerability exploits against web apps
• Atlassian fixes Critical Confluence RCE vulnerability (CVE-2022-26134) exploited in the wild
• Attackers could exploit Critical F5 BIG-IP vulnerability to execute arbitrary commands