Chinese APT's favorite vulnerabilities revealed

In a joint cybersecurity advisory, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.

The advisory aims to “inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).”

The US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the DIB (Defense Industrial Base) sector, which is related to military weapons systems; and other critical infrastructure sectors.

It is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.

The advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.

Last year, CISA began publishing a catalog of actively exploited vulnerabilities that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of vulnerabilities favored by Russian state-sponsored threat actors.

If your organization’s intellectual property is likely to be of interest to China, this is list is for you. And if it isn’t, this list is still worth paying attention to.

The vunerabilities

Remote code execution (RCE)

RCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: CVE-2021-44228 (also known as Log4Shell or LogJam), CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-26084, CVE-2021-42237, CVE-2022-1388, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Arbitrary file read

The advisory identifies two arbitrary file read flaws–CVE-2019-11510 and CVE-2021-22005–which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.

Authentication bypass by spoofing

CVE-2022-24112 is an authentication bypass flaw that allows attackers to access resources they shouldn’t have access to by spoofing an IP address.

Command injection

CVE-2021-36260 is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.

Command line execution

CVE-2021-1497 is a command injection flaw that allows attackers to inject data into an affected system’s command line.

Path Traversal

Also known as “directory traversal,” these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. CVE-2019-19781, CVE-2021-41773, and CVE-2021-20090 are all forms of path traversal attack.

Mitigations

The NSA, CISA, and FBI urge organizations to undertake the following mitigations:

• * Apply patches as they come, prioritizing the most critical l flaws in your environment.
  

  • Use multi-factor authentication.
  • Require the use of strong, unique passwords.
  • Upgrade or replace software or devices that are at, or close to, their end of life.
  • Consider adopting a zero-trust security model.
  • Monitor and log Internet-facing systems for abnormal activity.