U.S cybersecurity and intelligence agencies have cautioned about Chinese-state-sponsored cyber actors exploiting network vulnerabilities to public and private sector organizations since at least 2020.
The prevalent intrusion campaigns exploit publicly known flaws in network devices like Small Office/Home Office (SOHO) routers, Network Attached Storage (NAS) devices routers, and Network Attached Storage (NAS) devices for gaining deeper access to victim networks.
The U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) said in a joint advisory that the actors used these vulnerable devices as route command-and-control (C2) traffic to hack target at scale
The attackers are known to use a combination of open-source and custom tools for reconnaissance and vulnerability to obscure and blend their activity besides shifting their tactics in response to public disclosures
The attackers are made easier by accessing vulnerable servers, which the agencies called hop points from China-based IP addresses. These servers are used to host C2 domains and email accounts, and to communicate with the target networks.
“Cyber actors use these hop points as an obfuscation technique when interacting with victim networks,” the agencies noted, detailing the adversary’s pattern of weaponizing flaws in telecommunications organizations and network service providers.
Once they are able to get into the network via an unpatched internet-facing asset, the actors acquire credentials for the user and administrative accounts, followed by executing router commands to “surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure.”
Further, attackers also modify and remove local log files to destroy evidence of their activity to evade detection.
“Entities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program,” the agencies said.
Reference
https://thehackernews.com/2022/06/us-agencies-warn-about-chinese-hackers.html
