NSA, CISA, and the FBI revealed today the top security vulnerabilities most exploited by hackers backed by the People's Republic of China (PRC) to target government and critical infrastructure networks.
The three federal agencies said in a joint advisory that Chinese-sponsored hackers are targeting U.S. and allied networks and tech companies to gain access to sensitive networks and steal intellectual property.
"NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks," the advisory says.
"This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs)."
The advisory also bundles recommended mitigations for each of the security flaws most exploited by Chinese threat actors, as well as detection methods and vulnerable technologies to help defenders spot and block incoming attack attempts.
The following security vulnerabilities have been the top most exploited by Chinese-backed state hackers since 2020, according to the NSA, CISA, and the FBI.
Vendor |
CVE |
Vulnerability Type |
Apache Log4j |
CVE-2021-44228 |
Remote Code Execution |
Pulse Connect Secure |
CVE-2019-11510 |
Arbitrary File Read |
GitLab CE/EE |
CVE-2021-22205 |
Remote Code Execution |
Atlassian |
CVE-2022-26134 |
Remote Code Execution |
Microsoft Exchange |
CVE-2021-26855 |
Remote Code Execution |
F5 Big-IP |
CVE-2020-5902 |
Remote Code Execution |
VMware vCenter Server |
CVE-2021-22005 |
Arbitrary File Upload |
Citrix ADC |
CVE-2019-19781 |
Path Traversal |
Cisco Hyperflex |
CVE-2021-1497 |
Command Line Execution |
Buffalo WSR |
CVE-2021-20090 |
Relative Path Traversal |
Atlassian Confluence Server and Data Center |
CVE-2021-26084 |
Remote Code Execution |
Hikvision Webserver |
CVE-2021-36260 |
Command Injection |
Sitecore XP |
CVE-2021-42237 |
Remote Code Execution |
F5 Big-IP |
CVE-2022-1388 |
Remote Code Execution |
Apache |
CVE-2022-24112 |
Authentication Bypass by Spoofing |
ZOHO |
CVE-2021-40539 |
Remote Code Execution |
Microsoft |
CVE-2021-26857 |
Remote Code Execution |
Microsoft |
CVE-2021-26858 |
Remote Code Execution |
Microsoft |
CVE-2021-27065 |
Remote Code Execution |
Apache HTTP Server |
CVE-2021-41773 |
Path Traversal |
Mitigation measures
NSA, CISA, and FBI also urged U.S. and allied governments, critical infrastructure, and private sector orgs to apply the following mitigation measures to defend against Chinese-sponsored cyber-attacks.
The three federal agencies advise organizations to apply security patches as soon as possible, use phishing-resistant multi-factor authentication (MFA) whenever possible, and replace end-of-life network infrastructure no longer receiving security patches.
They also recommend moving towards the Zero Trust security model and enabling robust logging on internet-exposed services to detect attack attempts as soon as possible.
Today's joint advisory follows two others that shared information on tactics, techniques, and procedures (TTPs) used by Chinese-backed threat groups (in 2021) and publicly known vulnerabilities they exploit in attacks (in 2020).
In June, they also revealed that Chinese state hackers had compromised major telecommunications companies and network service providers to steal credentials and harvest data.
On Tuesday, the U.S. Government also issued an alert about state-backed hackers stealing data from U.S. defense contractors using a custom CovalentStealer malware and the Impacket framework.
- aum and Karlston
- 2
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.