Beijing-backed baddies target unpatched networking kit to attack telcos

NSA, FBI and CISA issue joint advisory that suggests China hardly has to work for this – flaws revealed in 2017 are among their entry points


State-sponsored Chinese attackers are actively exploiting old vulnerabilities to "establish a broad network of compromised infrastructure" then using it to attack telcos and network services providers.

So say the United States National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI), which took the unusual step of issuing a joint advisory that warns allied governments, critical infrastructure operators, and private industry organizations to hurry up and fix their IT estates.

The advisory states that network devices are the target of this campaign and lists 16 flaws – some dating back to 2017 and none more recent than April 2021 – that the three agencies rate as the most frequently exploited.

Attackers blend into the noise or normal activity of a network.

China has not had to work hard to run this campaign. The advisory suggests Beijing's minions use open source tools like RouterSploit and RouterScan to find potentially vulnerable boxes.

Unpatched boxes are easily compromised – especially when they're routers installed at homes or small businesses.

The Register has often remarked that such products are not easy to patch, and that advice of the need to update firmware seldom reaches their owners.

The three-agency advisory states that attackers use compromised devices to gain "an initial foothold into a telecommunications organization or network service provider." They then hunt for users with valuable privileges and infrastructure that manages authentication, authorization, and accounting.

China programming code

Microsoft details how China-linked crew's malware hides scheduled Windows tasks

READ MORE

The advisory describes one attack in which China-sponsored actors identified a critical Remote Authentication Dial-In User Service (RADIUS) server, then "gained credentials to access the underlying SQL database and utilized SQL commands to dump the credentials, which contained both cleartext and hashed passwords for user and administrative accounts."

Once China's attackers scored those creds, they used them with custom automated scripts to authenticate to a router via Secure Shell, then executed router commands and saved the output. Among the hauls were configuration info for each attached router.

"The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network," the advisory states.

That manipulation included capture and exfiltration of traffic "out of the network to actor-controlled infrastructure."

The attacks can be hard to spot, the advisory explains, because China's hired miscreants "often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network."

China-sponsored attackers can rely on help from what the three agencies describe as "compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers."

"The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks."

The three agencies suggest 14 mitigations, most of which are common sense practices – patching systems, always using multifactor authentication, segmenting networks to prevent lateral movement, and disabling devices' out of band management capabilities.

But the advisory warns constant vigilance is needed because the actors the document describes change their tactics in response to publication of analysis describing their exploits.

"Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns," the advisory states. The attackers also change their methods after observing targets' defensive actions.

The advisory itself may therefore spark a new wave of "innovation", as it details the router commands the three agencies have observed. ®


Other stories you might like

  • TikTok: Yes, some staff in China can access US data
    We thought you guys were into this whole information hoarding thing

    TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.

    "100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."

    That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.

    Continue reading
  • China is trolling rare-earth miners online and the Pentagon isn't happy
    Beijing-linked Dragonbridge flames biz building Texas plant for Uncle Sam

    The US Department of Defense said it's investigating Chinese disinformation campaigns against rare earth mining and processing companies — including one targeting Lynas Rare Earths, which has a $30 million contract with the Pentagon to build a plant in Texas.

    Earlier today, Mandiant published research that analyzed a Beijing-linked influence operation, dubbed Dragonbridge, that used thousands of fake accounts across dozens of social media platforms, including Facebook, TikTok and Twitter, to spread misinformation about rare earth companies seeking to expand production in the US to the detriment of China, which wants to maintain its global dominance in that industry. 

    "The Department of Defense is aware of the recent disinformation campaign, first reported by Mandiant, against Lynas Rare Earth Ltd., a rare earth element firm seeking to establish production capacity in the United States and partner nations, as well as other rare earth mining companies," according to a statement by Uncle Sam. "The department has engaged the relevant interagency stakeholders and partner nations to assist in reviewing the matter.

    Continue reading
  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • China finds and kills 42,000 counterfeit apps – many of them investment scams
    Constant crackdowns on bad online behavior don't seem to deter crims

    The Cyberspace Administration of China (CAC) announced a crackdown on investment fraud platforms on Friday in conjunction with the country's Ministry of Public Security.

    "Since the beginning of this year, the Anti-Fraud Center of the CAC has investigated and cracked down on 42,000 counterfeit apps," declared the internet regulator.

    The CAC said those apps have been added to a database that currently includes around 3.8 million fraud-related websites and 514,000 apps, which have collectively seen it issue over two billion alerts.

    Continue reading
  • Xi Jinping himself weighs in on how Big Tech should deploy FinTech
    Beijing also outlines its GovTech vision and gets very excited about data

    China's government has outlined its vision for digital services, expected behavior standards at China's big tech companies, and how China will put data to work everywhere – with president Xi Jinping putting his imprimatur to some of the policies.

    Xi's remarks were made in his role as director of China’s Central Comprehensively Deepening Reforms Commission, which met earlier this week. The subsequent communiqué states that at the meeting Xi called for "financial technology platform enterprises to return to their core business" and "support platform enterprises in playing a bigger role in serving the real economy and smoothing positive interplay between domestic and international economic flows."

    The remarks outline an attempt to balance Big Tech's desire to create disruptive financial products that challenge monopolies, against efforts to ensure that only licensed and regulated entities offer financial services.

    Continue reading
  • US expands efforts to hamstring China’s chipmaking mojo
    Beijing can't get next-gen lithography gear, America now trying to block sales of older machines

    The US government is reportedly stepping up efforts to hamper China's ability to grow its semiconductor manufacturing capabilities by pressing for a wider ban on key chipmaking gear.

    Uncle Sam hopes to convince officials in the Netherlands to block Dutch-native semiconductor equipment maker ASML from selling its older deep ultraviolet lithography (DUV) systems to China, according to a Tuesday report from Bloomberg that cited unnamed sources. US and Dutch officials declined to comment on the report, as did ASML.

    DUV systems use a less advanced lithography process than ASML's extreme ultraviolet light (EUV) machines that chipmakers are increasingly turning to for leading-edge components coming to the market, such as Apple's homegrown M2 silicon for Macs or Nvidia's H100 datacenter GPU.

    Continue reading

Biting the hand that feeds IT © 1998–2022