The FBI, NSA and CISA coauthored a joint Cybersecurity Advisory detailing how People’s Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities to gain access to a broad network of compromised infrastructure.
The Cybersecurity Advisory was coauthored by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA). The advisory outlines top vulnerabilities in telecommunications companies and network service providers routinely targeted and exploited by bad actors since 2020.
“Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices,” CISA stated in the advisory.
“In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.”
The types of network devices commonly targeted include Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. Actors then use those compromised network devices as additional access points to route command and control (C2) traffic and conduct network intrusions on other targets.
“PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs),” CISA added.
Common CVEs
CISA provided a list of 16 routinely exploited network device common vulnerabilities and exposures (CVEs), to include:
- CVE-2018-0171: Cisco IOS and ISO XE Software Remote Code Execution (CVSS 9.8)
- CVE-2019-15271: Cisco Small Business RV Series Routers RCE (CVSS 8.8)
- CVE-2019-1652: Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers RCE (CVSS 7.2)
- CVE-2019-19781: Citrix Application Delivery Controller (ADC) and Gateway RCE (CVSS 9.8)
- CVE-2020-8515: DrayTek RCE (CVSS 9.8)
- CVE-2019-16920: D-Link RCE (CVSS 9.8)
- CVE-2018-13382: Fortinet FortiOS and FortiProxy Authentication Bypass (CVSS 7.5)
- CVE-2018-14847: MicroTik RouterOS Authentication Bypass (CVSS 9.1)
- CVE-2017-6862: Netgear RCE (CVSS 9.8)
- CVE-2019-11510: Pulse Connect Secure (PCS) Authentication Bypass (CVSS 10.0)
- CVE-2021-22893: Pulse Connect Secure RCE (CVSS 10.0)
- CVE-2019-7192: QNAP Photo Station Privilege Elevation (CVSS 9.8)
- CVE-2019-7193: QNAP QTS Remote Injection (CVSS 8.8)
- CVE-2019-7194: QNAP Photo Station XML Routing Detour Attack (CVSS 9.8)
- CVE-2019-7195: QNAP Photo Station XML Routing Detour Attack (CVSS 9.8)
- CVE-2020-29583: Zyxel USG device Authentication Bypass (CVSS 9.8).
Security experts have repeatedly warned about exploits of these vulnerabilities for years as noted in the related articles below.
Related Articles
- Alert: Threat actors continue to exploit patched Pulse Secure VPN devices
- Alert: Attackers exploiting Pulse Connect Secure vulnerabilities (updated)
- Patch these 10 most commonly exploited vulnerabilities
- APT41 launches broad cyber campaign with multiple exploits
- 450K internet-connected QNAP devices exposed to RCE vulnerabilities
- High risk vulnerability in Zyxel firewalls and AP controllers exploited in the wild
- MicroTik router infections spread, cause surge in CoinHive
- APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations
- High risk vulnerability in Zyxel firewalls and AP controllers exploited in the wild