Log4j and ProxyLogon among the main flaws exploited by Chinese threat groups


A list of top vulnerabilities exploited by Chinese state-sponsored groups, recently released by the US government, shows that sophisticated threat actors continue to rely unhindered on unpatched devices vulnerable to flaws that are sometimes dated of several years.

The advisory released by the US Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the NSA and FBI, shows the top CVEs used since 2020 by Chinese threat actors to gain initial access to networks sensitive, including well-known flaws like Log4j (CVE-2021-44228), ProxyLogon-related bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) and more .

“PRC [People’s Republic of China] State-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest,” according to on Thursday’s notice. “NSA, CISA and FBI assess that PRC state-sponsored cyber actors have actively targeted US and allied networks as well as software and hardware companies to steal intellectual property and expand access to sensitive networks.

Some of the most exploited flaws include an Atlassian Confluence flaw (CVE-2022-26134) that could allow an unauthenticated attacker to execute arbitrary code, a bug in Zoho’s ManageEngine ADSelfService Plus (CVE-2021-40539), and an F5 BIG-IP remote code runtime flaw (CVE-2020-5902). While many of the popular flaws in the list were disclosed last year, several vulnerabilities dated back three years, such as a critical arbitrary file disclosure vulnerability in Pulse Secure’s SSL VPN solution (CVE-2019-11510) and a Citrix ADC path traversal. bug (CVE-2019-19781).

“The barrier to entry to exploit these flaws is low, as there are a plethora of public proof-of-concept exploits readily available.”

Satnam Narang, senior research engineer at Tenable, said the advisory shows that many state-sponsored threat actors (including those linked to China) continue to exploit legacy vulnerabilities to gain initial access. to organizations. Patch management has been a pain point for businesses, and attackers are increasingly taking advantage of devices that haven’t been updated, a threat report shows. published this week by Secureworks. The report found that exploiting vulnerabilities in internet-connected systems has become the most commonly observed initial access vector, signifying a marked change from 2021, when the dominant initial access vector was l use of stolen credentials.

“Known legacy vulnerabilities are usually exploited by threat actors of all types, from mid-level cybercriminals, early access brokers, ransomware affiliates to advanced persistent threat actors,” Narang said. “The barrier to entry to exploit these flaws is low, as there is a plethora of public proof-of-concept exploits readily available. Add to that the fact that many of these flaws remain unpatched across the globe and that these threat actors have found the recipe for success.

The continued presence of multiple vulnerabilities in this most recent advisory shows how challenging patching remains, Narang said, noting that three of the flaws listed in this most recent advisory (CVE-2019-11510, CVE-2019 -19781 and CVE-2020-5902) were also listed in an NSA advisory published in October 2020 on CVEs operated by Chinese state-sponsored actors.

“While it might seem like patching is really easy, most of the time it’s not that easy, especially when critical business functions depend on some apps staying online and some companies can’t just can’t afford the downtime associated with patches,” Narang said. “That said, resolving these vulnerabilities is vital to an organization’s overall security posture, so saving time is essential.”


About Author

Comments are closed.