Publicly-known Vulnerabilities Exploited by State-sponsored Cyber Threat Actors

In the start of Oct 2020, Cybersecurity and Infrastructure Security Agency (CISA) published an advisory  notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, as well as military information. According to CISA, in the light of heightened tensions  between U.S. and China, these vulnerabilities were actively being exploited by Chinese threat actors to cause multiple industries to malfunction, including healthcare, financial services, defense industrial base, energy, government facilities, and take them over illegitimately.

As published by CISA, public reporting that associates Chinese actors with a range of high-profile attacks and offensive cyber activity includes the following:

  • February 2013 – Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to China
  • April 2017 – Chinese APTs Targeting IP in 12 Countries
  • December 2018 – Chinese Cyber Threat Actors Indicted for Compromising Managed Service Providers (MSPs)
  • February 2020 – China’s Military Indicted for 2017 Equifax Hack
  • May 2020 – China Targets COVID-19 Research Organizations”

Tactics, Techniques, and Procedures (TTPs) used by these cyber actors are listed in the following PRE-ATT&CK techniques table.

Image Source: CISA

Apart from the  PRE-ATT&CK techniques, other exploiting methods such as brute-forcing, phishing, obfuscation, and email collection were also used.

Update 12/01/2020:

The UK’s National Cyber Security Centre has issued an alert on CVE-2020-15505. According to the alert, multiple actors are attempting to exploit MobileIron vulnerability CVE 2020-15505 to compromise the networks of UK organizations.

The list of publicly known vulnerabilities as published by CISA is mentioned below.

 

Vulnerability Affected products QID Control
CVE-2012-0158 Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0  

 

 

 

 

 

90793

 

 

 

 

 

 

CVE-2020-5902 Big-IP devices 38791, 373106
  • 18835
    List of allow-service configured for all Self IP Addresses
    Evaluation: Set “allow-service” with “none” or customize per requirement.
  • 18836
    Status of ‘LocationMatch’ derivative included for httpd component using sys module
    Evaluation: Set LocationMatch element to httpd.
  • 13903
    Status of current list of allowed IP addresses for httpd daemon
    Evaluation: Block all access to the Configuration utility of BIG-IP system using self IPs.
CVE-2019-19781 Citrix Application Delivery Controller

Citrix Gateway

Citrix SDWAN WANOP

150273, 372305, 372685  

 

 

 

 

 

CVE-2019-11510 Pulse Connect Secure 38771  

 

 

 

 

 

CVE-2019-16278 Nostromo 1.9.6 and below 13634
CVE-2019-1652, 1653 Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers 13405
CVE-2020-10189 Zoho ManageEngine Desktop Central before 10.0.474 372442
CVE-2020-8193, 8195, 8196 Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18

Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7

13833, 373116
CVE-2019-0708 Microsoft Windows multiple products 91541, 91534
  • 10404
    Status of the ‘Require user authentication for remote connections by using Network Level Authentication’ setting
    Evaluation: Enable the Network Level Authentication (NLA)  setting
  • 7519
    Status of the ‘Allow users to connect remotely using Remote Desktop Services(Terminal Services)’ setting
    Evaluation: Disable the setting
    Or use the following control to check service status:
  • 1430 Status of the ‘Terminal Services’ service
    Evaluation: Disable the service
CVE-2020-15505 MobileIron Core & Connector
CVE-2020-1350 Microsoft Windows multiple products 91662 18935
Status of the ‘TcpReceivePacketSize’ parameter within the ‘HKLM\System\CurrentControlSet\Services\DNS\Parameters’ registry key
Evaluation: Set “TcpReceivePacketSize” with 0xFF00
CVE-2020-1472 Microsoft Windows multiple products 91688 1509
Status of the ‘Netlogon’ service
Evaluation: Disable the service
CVE-2020-1040 Microsoft Windows multiple products 91653
CVE-2018-6789 Exim before 4.90.1 50089
CVE-2020-0688 Multiple Microsoft Exchange Server 50098
CVE-2018-4939 Adobe ColdFusion 370874
CVE-2015-4852 Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 86362, 86340
CVE-2020-2555 Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. 372345
CVE-2019-3396 Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2 13459
CVE-2019-11580 Atlassian Crowd and Crowd Data Center 13525
CVE-2020-10189 Zoho ManageEngine Desktop Central before 10.0.474 372442
CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 372327, 150299
CVE-2020-0601 Microsoft Windows multiple products 91595
CVE-2019-0803 Microsoft Windows multiple products 91522
CVE-2017-6327 Symantec Messaging Gateway before 10.6.3-267 11856
CVE-2020-8515 DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices 13730

Remediation and Mitigation

  • Patch systems and equipment promptly and diligently.
  • Implement rigorous configuration management programs.
  • Disable unnecessary ports, protocols, and services.
  • Enhance monitoring of network and email traffic.
  • Use protection capabilities to stop malicious activity.

Qualys Policy Compliance customers can evaluate workarounds for the vulnerabilities with the provided Controls in the above list.

Recommendations

As guided by CISA, to protect assets from exploiting, one must do the following:

  • Parameters such as consumption of threat intelligence, personal availability should be taken due care.
  • Vigilance team of an organization should keep a close eye on IOCs as well as strict reporting processes.
  • Regular incident response exercise at organizational level is always recommended as a proactive approach.

References

https://us-cert.cisa.gov/ncas/alerts/aa20-275a

https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *