Several US federal agencies announced today that Chinese-backed threat actors have targeted and infiltrated key telecommunications and network service providers in order to steal credentials and harvest data.
Chinese hacking gangs have used publicly known vulnerabilities to infiltrate everything from unpatched small office/home office (SOHO) routers to medium and even big enterprise networks, according to a joint cybersecurity alert released on Tuesday by the NSA, CISA, and the FBI.
Once the devices were infiltrated, the threat actors used them as command-and-control servers and proxy systems to break into other networks as part of their own assault infrastructure.
“Once within a telecommunications organization or network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, including systems critical to maintaining the security of authentication, authorization, and accounting,” according to the report.
The attackers then used SQL commands to dump user and admin credentials from key Remote Authentication Dial-In User Service (RADIUS) servers after stealing credentials to access underlying SQL databases.
“The cyber actors returned to the network, armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure,” the federal agencies added.
Since 2020, the following common vulnerabilities and exposures (CVEs) have been most commonly exploited by Chinese-backed state hackers, according to the three federal authorities.
“Since 2020, the PRC has been using specialized approaches and common vulnerabilities to its advantage in cyber campaigns,” according to the NSA.
| Vendor | CVE | Vulnerability Type |
| Cisco | CVE-2018-0171 | Remote Code Execution |
| CVE-2019-15271 | Remote Code Execution | |
| CVE-2019-1652 | Remote Code Execution | |
| Citrix | CVE-2019-19781 | Remote Code Execution |
| DrayTek | CVE-2020-8515 | Remote Code Execution |
| D-Link | CVE-2019-16920 | Remote Code Execution |
| Fortinet | CVE-2018-13382 | Authentication Bypass |
| MikroTik | CVE-2018-14847 | Authentication Bypass |
| Netgear | CVE-2017-6862 | Remote Code Execution |
| Pulse | CVE-2019-11510 | Authentication Bypass |
| CVE-2021-22893 | Remote Code Execution | |
| QNAP | CVE-2019-7192 | Privilege Elevation |
| CVE-2019-7193 | Remote Inject | |
| CVE-2019-7194 | XML Routing Detour Attack | |
| CVE-2019-7195 | XML Routing Detour Attack | |
| Zyxel | CVE-2020-29583 | Authentication Bypass |
Chinese-sponsored threat actors have created large infrastructure networks as a result of exploiting these vulnerabilities, allowing them to infiltrate an even broader spectrum of public and private sector targets.
The NSA, CISA, and FBI are also urging US and allied governments, critical infrastructure, and private business entities to implement a set of mitigation measures to help reduce the likelihood of similar attacks infiltrating their networks.
Security updates should be applied as quickly as feasible, unneeded ports and protocols should be disabled to reduce the attack surface, and end-of-life network infrastructure that no longer receives security patches should be replaced, according to federal agencies.
Segmenting networks to prevent lateral movement and enabling robust monitoring on internet-exposed services to detect attack attempts as soon as possible are also recommended.
This joint advisory follows two previous that exchanged information on Chinese state-sponsored hackers’ tactics, methods, and procedures (TTPs) utilized in their assaults (in 2021) and publicly known vulnerabilities exploited in their attacks (in 2020).
