The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.
“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.
The list of vulnerabilities exploited by Chinese hackers
The list is as follows:
- CVE-2019-11510 – affecting Pulse Secure VPNs
- CVE-2020-5902 – affecting F5 BIG-IP proxy / load balancer devices
- CVE-2019-19781 – affecting Citrix Application Delivery Controller (ADC) and Gateway
- CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 – affecting Citrix ADC and Citrix Gateway and Citrix SDWAN WAN-OP
- CVE-2019-0708 – affecting Microsoft Windows and Microsoft Windows Server Remote Desktop Services
- CVE-2020-15505 – affecting MobileIron mobile device management (MDM)
- CVE-2020-1350 – affecting Windows (Domain Name System) Server
- CVE-2020-1472 – affecting Microsoft Windows Server
- CVE-2019-1040 – affecting Microsoft Windows and Microsoft Windows Server
- CVE-2018-6789 – affecting Exim mail transfer agent
- CVE-2020-0688 – affecting Microsoft Exchange Server
- CVE-2018-4939 – affecting Adobe ColdFusion
- CVE-2015-4852 – affecting Oracle WebLogic Server
- CVE-2020-2555 – affecting Oracle Coherence
- CVE-2019-3396 – affecting Atlassian Confluence
- CVE-2019-11580 – affecting Atlassian Crowd and Crowd Data Center
- CVE-2020-10189 – affecting Zoho ManageEngine Desktop Central
- CVE-2019-18935 – affecting Progress Telerik UI for ASP.NET AJAX
- CVE-2020-0601 – affecting Microsoft Windows and Microsoft Windows Server
- CVE-2019-0803 – affecting Microsoft Windows and Microsoft Windows Server
- CVE-2017-6327 – affecting Symantec Messaging Gateway
- CVE-2020-3118 – affecting Cisco IOS XR
- CVE-2020-8515 – affecting DrayTek Vigor devices
The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.
Mitigations are also available
If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:
- Disabling external management capabilities and setting up an out-of-band management network
- Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
- Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
- Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise
The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.
Additional “most exploited vulnerabilities” lists
Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.
Admins and network defenders are encouraged to peruse them and patch those flaws as well.