Chinese State Actors Continue to Target US Government Devices

Having complete visibility into and control of your global external attack surface is a necessity — not least because Chinese state actors are actively targeting exposed devices in the U.S. The Cybersecurity & Infrastructure Security Agency just published a new advisory stating that Chinese Ministry of State Security-affiliated cyber actors are actively performing reconnaissance and exploitation of U.S. federal government networks. These attacks are focused on a variety of different industries and include “high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense.” 

The alert mentioned different techniques for reconnaissance and information-gathering and highlighted a number of Common Vulnerabilities and Exposures (CVE) related to F5 Big-IP devices (CVE-2020-5902), Citrix appliances (CVE-2019-19781), and Pulse Secure VPN servers (CVE-2019-11510). If your organization is using these devices, ensuring that you have identified and inventoried all of them is a critical first step. But finding all of these assets can be a difficult task. 

Using Expanse’s global scanning infrastructure, members of our Cyber Research Engineering team identified and inventoried a large number of these devices on the Internet over a 24-period as of September 15. Expanse found that 33,446 Citrix Netscaler devices, 152,242 F5 Big-IP devices, and 9,248 Pulse Secure devices were exposed on the Internet. If your organization is using any of these devices, it is essential to know how many you have and where they are to ensure proper mitigation of vulnerabilities as they are all being targeted by malicious state actors. Expanse commonly observes many of these devices in the Global 2000 companies and agencies of U.S. and U.S.-allied governments.

The vulnerability in F5’s Big-IP is within its Traffic Management User Interface (TMUI) and allows remote code execution, file manipulation, and arbitrary command execution. Certain versions of the Citrix appliances are vulnerable to a directory traversal attack that could allow an unauthenticated attacker to perform arbitrary code execution. And vulnerable Pulse Secure appliances allow arbitrary file reading that could give access to an internal network. Chinese cyber actors were noted using open source tools such as Shodan and Censys to perform reconnaissance and identify these appliances on networks.   

A successful exploitation of any of these devices could leave a corporation or government agency vulnerable to many attacks. The CISA alert identified Chinese actors performing credential access dumping using Mimikatz, the use of coin miner protocols, and the collection and exfiltration of emails. The cyber actors used proxy networks such as Tor for command and control and exfiltration of data. 

Ensuring that every system is patched is more important than ever. CISA noted: “Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them.” Each of the appliances mentioned has a patch that addresses the CVE’s mentioned in the alert. It is highly recommended that organizations mitigate these vulnerabilities as soon as possible and ensure they have an effective auditing and patch management program. Make sure you know your full external attack surface — including the device types we’ve discussed above — and have them locked down against potential intrusion.