The Federal Bureau of Investigation (FBI) recently reported[MC1] that “the Chinese government is seeking to become the world’s greatest superpower through predatory lending and business practices, systematic theft of intellectual property, and brazen cyber intrusions.” There is a chance this bypassed your radar even if you keep up with cybersecurity news, as stories about state-sponsored PRC actors infiltrating critical United States information systems are common. Just last week, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint cybersecurity advisory documenting the most common vulnerabilities and exposures (CVEs) used by the People’s Republic of China (PRC) since 2020. While we should learn from nearly everything written about the PRC’s illicit hacking, influencing, and intellectual property (IP) theft, our readers should pay particular attention to this joint advisory.
The joint report not only documented PRC activity targeted at critical U.S. systems, it also provided vital technical information (in simple terms) on the attack vectors and advised on potential mitigation techniques against them.
Highlights/Trends from the Report
Remote Code Execution (RCE) vulnerabilities were the most heavily targeted vulnerability and the PRC’s number one attack vector. RCE is an attack where hackers remotely execute commands on the target (or an unwitting third party) system. RCE was the primary tactic in 12 of the 20 top vulnerabilities exploited by the PRC.
Perhaps the most prominent RCE incident from the PRC was the Log4Shell exploit. Log4Shell targeted a remote code execution vulnerability that allowed hackers to access devices using Java. This vulnerability effected services like AWS, Steam Cloudflare, Minecraft and iCloud. It was known to have affected 90 percent of enterprise cloud environments.
In 4 of the top 20 vulnerabilities exploited by the PRC, state-sponsored hackers gained unauthorized access to servers and were able to read, upload, and manipulate files on the server. Primary methodologies used in these exploitations included Path Traversal and Relative Path Traversal.
These types of exploits target insufficient security validation or sanitization of user-supplied file names to gain unauthorized access. The National Institute of Standards (NIST) issued an advisory in April 2021 documenting a path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version that enabled unauthenticated remote attackers to bypass authentication.
These specific attack methodologies and myriad others documented in the advisory are difficult to detect and mitigate, but there are specific measures you can take to better safeguard your cyberspace-based assets.
Specifically, I encourage you to:
Use complex passwords with at least 8 characters, lower case letters, upper case letters, numbers, and symbols. The longer the password the better.
Check for software updates fastidiously and as soon as a patch is released, update your system.
Implement effective firewalls and web application firewalls into your architecture.
Always encrypt your data.
Always block any unused ports and search for and block malicious emails.
Implement Multi-Factor Authentication (MFA).
Set up session lock security controls to prevent brute force attacks.
It is also advised to maximize your ability to detect the presence of threats by:
Integrating a strong Intrusion Detection Systems (IDS) into your architecture.
Hiring (or developing) experts to form a strong security team capable of effectively monitoring all network activity and identifying and mitigating any anomalous activity.
Checking logs regularly or use Security Information and Event Management (SIEM) to aggregate logs.
If you have not taken the time to do so, we encourage you to read the report yourself, as it provides an exhaustive list of CVEs, technical explanations of each, and additional recommendations to secure your critical systems.
Comments