What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds
Beijing's snoops don't even need zero-days to break into valuable networks
The US government says the Chinese government's hackers are preying on a host of high-profile security holes in enterprise IT equipment to infiltrate Uncle Sam's agencies and American businesses.
Yes, this sounds like something from the Department of the Bleeding Obvious – spies do spying on all sides, and all that – but what's interesting in this latest warning is the roll call of vulnerable products being targeted.
In a joint statement, the FBI and Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) on Monday claimed Beijing's miscreants have exploited or attempted to exploit bugs including those in Microsoft Exchange Server (CVE-2020-0688), the F5 Big-IP remote takeover vulnerability (CVE-2020-5902), Pulse Secure's VPN's remote code flaw (CVE-2019-11510) and the Citrix VPN directory traversal hole (CVE-2019-19781).
The extent of the attacks on these programming blunders seems to vary. For example, the agencies said they have only seen the Chinese hackers "attempting to discover" vulnerable Citrix appliances, while other bugs like those in F5 and Pulse Secure gear are said to be under active attack.
"Through the National Cybersecurity Protection System, CISA has observed Chinese Ministry of State Security-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information sources and open-source exploitation tools," CISA warned.
For each of these vulnerabilities, vendors have already issued patches to install, so sysadmins should be able to protect their networks by deploying the latest security updates – granted, this is not a trivial task for something like a $700,000 F5 application delivery controller that's mission critical.
There are also steps that can be taken to mitigate the bugs if patching can't be done. For example, much of the Citrix and F5 gear in question should not be exposed to the public internet under normal conditions, rather it ought to sit behind a firewall. Either way, intrusions via these holes are hardly inevitable and there are plenty of things admins can do to protect their data.
In addition to the exploits, the agencies also say they have – utterly unsurprisingly – spotted Chinese hacking crews probing networks for soft spots they could use as a point of entry – things like servers with holes in their bespoke web apps. The agencies also say they have observed command-and-control servers and domains used by the attackers as well as Shodan queries used to find their targets.
Above all, the hackers are abusing known-bugs and using publicly available information for their cyber-break-ins rather than exploiting valuable zero-day flaws. While this might seem like good news at first glance, there's still a load of machines vulnerable on the internet, with public exploit code available for the flaws, meaning there are a lot of opportunities for meddling and theft of secrets and intellectual property.
The hackers also "frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data," CISA noted, "in some cases years after the initial successful data theft."
Patch, patch, and try some of that intrusion detection, too. ®