A new advisory from the U.S. Cybersecurity and Infrastructure Security Agency warns of Chinese government-affiliated cyber threat actors using publicly available and open-source information to leverage unpatched software vulnerabilities to attack U.S. government agencies.
According to the warning, hacking groups affiliated with the Chinese Ministry of State Security for the last 12 months have been using publicly available information sources like vulnerability search engine Shodan, the Common Vulnerabilities and Exposure (CVE) database and the National Vulnerabilities Database (NVD).
CISA analysts use the databases to identify federal government systems that are vulnerable to exploits by cyber criminals and nation state actors, but analysts are now finding a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable.
“This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations,” the CISA advisory says. “Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks. “
According to the advisory, the cyber threat actors are targeting systems running unpatched products, like the F5 Big-IP Traffic Management User Interface, Citrix VPN Appliances, Pulse Secure VPN Appliances and the Microsoft Exchange Server.
The actors are also using known hacking techniques to identify technical weaknesses in federal government networks, command and control infrastructure and other commercial and open-source tools to conduct their operations.
Those publicly available tools include penetration testing tool Cobalt Strike, China Chopper web shell and credential capture tool Mimikatz.
Other attack methods include email spear phishing, malicious emails, brute force, credential stuffing and more.
For the complete list of specific products being targeted and a link to the appropriate patches, read the advisory.