Posted on June 10, 2022 at 6:12 AM
Several US agencies have reported that the Chinese-backed threat actors targeted and infiltrated major telecommunications firms and network service providers to steal credentials. In a joint statement by the CISA, the FBI, and the NSA, the Chinese sponsored group exploited known flaws to breach several servers, including home office routers and well as large enterprise networks, harvesting data in the process.
These vulnerabilities are known to the public, but some users have not applied their patches. As a result, the Chinese actors took advantage of some users’ inability or unwillingness to apply patches to the bug.
The Threat Actors Are Targeting Critical Infrastructure
Once the devices are compromised, the hackers used the device as part of their major attack infrastructure, stealing information from the target and sending it to the command-and-control servers the hackers. Once they get the details or information, the threat actors can use them to carry out further attacks to breach more systems.
“Upon gaining an initial foothold into a telecommunications organization or network service provider,” the joint advisory explained. The Chinese state-sponsored threat actors have identified critical users and infrastructure, which includes systems that are vital to the maintenance of security of accounting, authorization, and authentication.
The threat actors stole credentials to have access to SQL databases. They also dumped user and admin credentials using the SQL commands via the critical Remote Authentication Dial-In User Service (RADIUS) servers.
The Hackers Capture Data And Send To Control Servers
The threat actors, when armed with valid credentials and accounts from the compromised RADIUS server, returned to the network to inflict more damage. They used their knowledge and access for the successful authentication and execution of router commands to surreptitiously route.
The federal agencies noted that the threat actors can capture and steal data and send it to their control servers.
According to the three federal agencies, the vulnerabilities exploited are the network device CVEs that are most frequently exploited by Chinese state-sponsored threat actors, and the campaign has been going on for the past two years. The NSA added that the PRC has been exploiting the common vulnerabilities to gain enough details and information they can use to execute more hacking activities in the future.
As the Chinese threat actors exploit these bugs, they have set up a wide infrastructure that can help them to further compromise an even larger spectrum of private and public sector targets.
The FBI, CISA, and NSA further urged the US and its allied governments, private industry organizations, and critical infrastructure to use vital litigation measures that can help them to minimize the risk of having to face similar attacks on their networks.
Organizations Have Been Advised To Apply Patches
The federal agencies have also advised organizations to ensure they apply security patches as soon as possible. They should also disable unnecessary protocols and ports that would assist the threat actors to gain a stronghold on their network. The organizations should also replace end-of-life network infrastructure that no longer gets security patches.
Additionally, they recommended that organizations should segment their networks to block lateral movement attempts. This will ensure robust logging on internet-exposed services to detect attempts quickly.
The joint advisory is coming after the agencies shared information on the attacking methods used by the Chinese state-sponsored threat actors as well as publicly known vulnerabilities the actors have exploited since 2020.
The report noted that the FBI, CISA, and NSA have observed increasingly sophisticated Chinese state-sponsored threat actions that target U.S. educational, economic, political, and military organizations. The agencies said some of the trends they observed include exploitation of public vulnerabilities and the acquisition of infrastructure and capabilities.
The Chinese state-sponsored actors usually scan targeted networks in search of critical vulnerabilities days after they have been exposed. In several cases, the attackers exploit the bugs in major applications such as Microsoft Products, F5 Big-IP, and Pulse Secure.
For the acquisition of Infrastructure and Capabilities, the threat actors remain alert and mindful of the information security practiced by the community. They stay diligent to ensure that they hide their activities by using commercial or common open-source penetration tools and a series of virtual private servers (VPSs). The Chinese state-sponsored actors also use observed techniques and tactics to exploit computer networks to acquire sensitive intellectual property. They also exploit the network to get military, political, and economic information. As a result, the advisory noted that the organizations should improve on their security techniques and apply necessary mitigation methods to keep the hackers out of their networks.