In a joint advisory, the federal agencies said threat actors are taking advantage of publicly known vulnerabilities in network devices to create an extensive web of compromised infrastructure. The advisory contains a list of vendors and vulnerable devices.
Details of the Joint Cybersecurity Advisory
The Cybersecurity & Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory, detailing a Chinese state-backed hacking campaign targeting major telecommunications companies and network service providers. The hackers “routinely exploited” publicly known vulnerabilities in network devices, the advisory said. The devices targeted include Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. These hacking incidents, which have been ongoing since 2020, allowed Chinese threat actors to gain access to targeted networks and victims’ accounts. “Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices,” the advisory said. These cyberattacks were apparently successful due to unpatched vulnerabilities, as the hackers did not have to use any “distinctive or identifying malware.” The agencies recommended that “cyber defenders” mitigate this threat by applying the security patches available for their network systems. However, it can be difficult for network administrators to ensure that endpoint devices are routinely patched because of the sheer number of end-point devices in use and the number of patches issued, the advisory noted.
Threat Actors Careful to Avoid Detection
Using sophisticated techniques, the hackers siphoned the login credentials of users and admins. With these details, they burrowed deeper into victims’ networks to “surreptitiously route, capture, and exfiltrate” data. SOHO routers and other end-point network devices act as additional access points to route command and control (C2) traffic. After compromising a device, the hackers will incorporate it into their attack infrastructure, using it as command-and-control servers and proxy systems to breach more networks. The agencies said they observed the attackers tracking the accounts of cyber defenders, and using the information they gathered to keep their activities hidden. “Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns,” the advisory reads. “PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network,” it adds.
U.S. Government Proactively Tracking Cyber Threats
In the past two years, U.S.-based organizations have suffered from high-profile cyberattacks, including attacks targeting Microsoft Exchange servers and Colonial Pipeline. These incidents have forced the U.S. government to keep a close eye on cyber threats, especially those that may compromise critical infrastructure. Federal agencies such as CISA have taken up the responsibility of alerting vulnerable organizations about security threats. These advisories serve as a medium for public-private communication on cybersecurity. Since last year, U.S. intelligence and cybersecurity agencies have published alerts about state-backed campaigns from Russia and Iran as well as ransomware attacks and threats to U.S. water systems. These advisories usually contain useful recommendations and mitigatory measures.