CyberWire Daily - CISA Alert AA22-158A – People’s Republic of China state-sponsored cyber actors exploit network providers and devices. [CISA Cybersecurity Alerts]
Episode Date: June 8, 2022This joint Cybersecurity Advisory describes the ways in which People’s Republic of China state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad... network of compromised global infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. AA22-158A Alert, Technical Details, and Mitigations Refer to China Cyber Threat and Advisories, Internet Crime Complaint Center, and NSA Cybersecurity Guidance for previous reporting on People’s Republic of China state-sponsored malicious cyber activity. US government and critical infrastructure organizations should consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. US Defense Industrial Base organizations should consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these services, email dib_defense@cyber.nsa.gov. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. Original release date, June 7, 2022.
This alert describes the ways in which Chinese state-sponsored cyber actors exploit known vulnerabilities to establish a network of compromised global infrastructure.
These actors use the network to exploit targets worldwide, including public and private sector organizations. The alert documentation details the targeting of major telecommunications
companies and network service providers and the top vulnerabilities associated with network
devices routinely exploited by the cyber actors. PRC state-sponsored cyber actors have conducted
widespread campaigns to rapidly exploit common vulnerabilities and exposures. This technique
allows the actors to gain access to victim accounts using public
exploit code against virtual private networks or public-facing applications without using their
own identifying malware. Equipment such as small office home office routers and network-attached
storage devices serve as access points for command and control and as midpoints to conduct network
intrusions against other entities. Recent high-severity vulnerabilities for network devices
provided these actors with the ability to exploit and gain access
to popular devices often overlooked by cyber defenders
who struggled to maintain routine software patching
of internet-facing services and endpoint devices.
PRC state-sponsored cyber actors typically conduct their intrusions
by accessing compromised servers called hop points
from China-based IP addresses resolving to different Chinese internet service providers. typically conduct their intrusions by accessing compromised servers called hop points from
China-based IP addresses resolving to different Chinese internet service providers. They use
these servers to register and access operational email accounts, host command and control domains,
and interact with victim networks. Cyber actors use these hop points as an obfuscation technique
when interacting with victim networks.
These cyber actors have also adapted tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders' accounts and actions and
modifying their ongoing campaign to remain undetected. Cyber actors routinely modify
their infrastructure and tool sets following the release of information related to their campaigns. PRC state-sponsored cyber actors often mix their
customized tool set with tools native to the network environment to obscure their activity
and blend into normal network activity. NSA, CISA, and the FBI urge U.S. and allied governments,
critical infrastructure, and private industry organizations to apply the recommendations listed in the mitigation section and Appendix A of the
full report linked in the show notes to increase their defensive posture and reduce the risk to
critical networks. The full report linked in the show notes includes device vulnerabilities most
frequently exploited by PRC state-sponsored cyber actors and additional resources and
mitigation strategies. All organizations should report incidents and anomalous activity to CISIS Thank you. 7 CyWatch at 855-292-3937 or cywatch at fbi.gov. This report was written by CISA, the United States
Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the Cyberwire
as a public service. Please visit www.cisa.gov to read the full report, which may include
additional details, links, and illustrations. A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.