In the start of Oct 2020, Cybersecurity and Infrastructure Security Agency (CISA) published an advisory notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, as well as military information. According to CISA, in the light of heightened tensions between U.S. and China, these vulnerabilities were actively being exploited by Chinese threat actors to cause multiple industries to malfunction, including healthcare, financial services, defense industrial base, energy, government facilities, and take them over illegitimately.
As published by CISA, public reporting that associates Chinese actors with a range of high-profile attacks and offensive cyber activity includes the following:
- February 2013 – Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to China
- April 2017 – Chinese APTs Targeting IP in 12 Countries
- December 2018 – Chinese Cyber Threat Actors Indicted for Compromising Managed Service Providers (MSPs)
- February 2020 – China’s Military Indicted for 2017 Equifax Hack
- May 2020 – China Targets COVID-19 Research Organizations”
Tactics, Techniques, and Procedures (TTPs) used by these cyber actors are listed in the following PRE-ATT&CK techniques table.
Image Source: CISA
Apart from the PRE-ATT&CK techniques, other exploiting methods such as brute-forcing, phishing, obfuscation, and email collection were also used.
Update 12/01/2020:
The UK’s National Cyber Security Centre has issued an alert on CVE-2020-15505. According to the alert, multiple actors are attempting to exploit MobileIron vulnerability CVE 2020-15505 to compromise the networks of UK organizations.
The list of publicly known vulnerabilities as published by CISA is mentioned below.
| Vulnerability | Affected products | QID | Control |
| CVE-2012-0158 | Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 |
90793 |
|
| CVE-2020-5902 | Big-IP devices | 38791, 373106 |
|
| CVE-2019-19781 | Citrix Application Delivery Controller
Citrix Gateway Citrix SDWAN WANOP |
150273, 372305, 372685 |
|
| CVE-2019-11510 | Pulse Connect Secure | 38771 |
|
| CVE-2019-16278 | Nostromo 1.9.6 and below | 13634 | |
| CVE-2019-1652, 1653 | Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers | 13405 | |
| CVE-2020-10189 | Zoho ManageEngine Desktop Central before 10.0.474 | 372442 | |
| CVE-2020-8193, 8195, 8196 | Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18
Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 |
13833, 373116 | |
| CVE-2019-0708 | Microsoft Windows multiple products | 91541, 91534 |
|
| CVE-2020-15505 | MobileIron Core & Connector | ||
| CVE-2020-1350 | Microsoft Windows multiple products | 91662 | 18935 Status of the ‘TcpReceivePacketSize’ parameter within the ‘HKLM\System\CurrentControlSet\Services\DNS\Parameters’ registry key Evaluation: Set “TcpReceivePacketSize” with 0xFF00 |
| CVE-2020-1472 | Microsoft Windows multiple products | 91688 | 1509 Status of the ‘Netlogon’ service Evaluation: Disable the service |
| CVE-2020-1040 | Microsoft Windows multiple products | 91653 | |
| CVE-2018-6789 | Exim before 4.90.1 | 50089 | |
| CVE-2020-0688 | Multiple Microsoft Exchange Server | 50098 | |
| CVE-2018-4939 | Adobe ColdFusion | 370874 | |
| CVE-2015-4852 | Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 | 86362, 86340 | |
| CVE-2020-2555 | Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. | 372345 | |
| CVE-2019-3396 | Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2 | 13459 | |
| CVE-2019-11580 | Atlassian Crowd and Crowd Data Center | 13525 | |
| CVE-2020-10189 | Zoho ManageEngine Desktop Central before 10.0.474 | 372442 | |
| CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 | 372327, 150299 | |
| CVE-2020-0601 | Microsoft Windows multiple products | 91595 | |
| CVE-2019-0803 | Microsoft Windows multiple products | 91522 | |
| CVE-2017-6327 | Symantec Messaging Gateway before 10.6.3-267 | 11856 | |
| CVE-2020-8515 | DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices | 13730 |
Remediation and Mitigation
- Patch systems and equipment promptly and diligently.
- Implement rigorous configuration management programs.
- Disable unnecessary ports, protocols, and services.
- Enhance monitoring of network and email traffic.
- Use protection capabilities to stop malicious activity.
Qualys Policy Compliance customers can evaluate workarounds for the vulnerabilities with the provided Controls in the above list.
Recommendations
As guided by CISA, to protect assets from exploiting, one must do the following:
- Parameters such as consumption of threat intelligence, personal availability should be taken due care.
- Vigilance team of an organization should keep a close eye on IOCs as well as strict reporting processes.
- Regular incident response exercise at organizational level is always recommended as a proactive approach.
References
https://us-cert.cisa.gov/ncas/alerts/aa20-275a
https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability
