CISA, NSA, and FBI on China Cyber Threat

The Federal Bureau of Investigation (FBI) recently reported that “the Chinese government is seeking to become the world’s greatest superpower through predatory lending and business practices, systematic theft of intellectual property, and brazen cyber intrusions.” There is a chance this bypassed your radar, even if you keep up with cybersecurity news, as stories about state-sponsored PRC actors infiltrating critical United States information systems are common.

Just last week, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI issued a joint cybersecurity advisory documenting the most common vulnerabilities and exposures (CVEs) used by the People’s Republic of China (PRC) since 2020. While we should learn from nearly everything written about the PRC’s illicit hacking, influencing, and intellectual property (IP) theft, our readers should pay particular attention to this joint advisory.

The joint report not only documented PRC activity targeted at critical U.S. systems, but it also provided vital technical information (in simple terms) on the attack vectors and advised on potential mitigation techniques against them.

Highlights/Trends from the Report

Remote Code Execution (RCE) vulnerabilities were the most heavily targeted vulnerability and the PRC’s number one attack vector. RCE is an attack where hackers remotely execute commands on the target (or an unwitting third party) system. RCE was the primary tactic in 12 of the 20 top vulnerabilities exploited by the PRC.

Perhaps the most prominent RCE incident from the PRC was the Log4Shell exploit. Log4Shell targeted a remote code execution vulnerability that enabled hackers to compromise devices running Java. This vulnerability affected services like AWS, Steam, Cloudflare, Minecraft, and iCloud. It was known to have affected 90 percent of enterprise cloud environments.

In 4 of the top 20 vulnerabilities exploited by the PRC, state-sponsored hackers gained unauthorized access to servers and were able to read, upload, and manipulate files on the server. The primary methodologies used in these exploits included Path Traversal and Relative Path Traversal.  

These types of exploits target insufficient security validation or sanitization of user-supplied file names to gain unauthorized access. The National Institute of Standards and Technology (NIST) issued an advisory in April 2021 documenting a path-traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version, which enabled unauthenticated remote attackers to bypass authentication.

These specific attack methodologies, along with myriad others documented in the advisory, are difficult to detect and mitigate. While challenging, there are still impactful steps you can take to safeguard your assets in cyberspace.

Specifically, I encourage you to:

·         Use complex passwords with at least 8 characters, lower case letters, upper case letters, numbers, and symbols. The longer the password the better.

·         Check for software updates fastidiously and as soon as a patch is released, update your system.

·         Implement effective firewalls and web application firewalls into your architecture.

·         Always block any unused ports and search for and block malicious emails.

·         Implement Multi-Factor Authentication (MFA).

·         Set up session lock security controls to prevent brute force attacks.

Additional steps you can take to maximize your ability to detect the presence of threats include:

·         Integrate a strong Intrusion Detection Systems (IDS) into your architecture.

·         Hire (or developing) experts to form a strong security team capable of effectively monitoring all network activity and identifying and mitigating any anomalous activity.

·         Check logs regularly or use Security Information and Event Management (SIEM) to aggregate logs.

If you have not taken the time to do so, I encourage you to read the report, as it provides an exhaustive list of CVEs, technical explanations of each, and additional recommendations to secure your critical systems.