NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities

Animesh Jain

Last updated on: December 2, 2020

Update November 25, 2020: The UK National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability (CVE-2020-15505).

Original post: On October 20, 2020, the United States National Security Agency (NSA) released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.

“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and
mitigation efforts,” said the NSA advisory. It also recommended “critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage.”

Earlier this year, the NSA also announced Sandworm actors exploiting the Exim MTA Vulnerability. Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an advisory notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. 

Here is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:

CVE-ID(s)Affected productsQualys QID(s)
CVE-2020-5902Big-IP devices38791, 373106
CVE-2019-19781Citrix Application Delivery Controller
Citrix Gateway
Citrix SDWAN WANOP
150273, 372305, 372685
CVE-2019-11510Pulse Connect Secure38771
CVE-2020-8193
CVE-2020-8195
CVE-2020-8196
Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18
Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7
13833, 373116
CVE-2019-0708Microsoft Windows multiple products91541, 91534
CVE-2020-15505MobileIron Core & Connector13998
CVE-2020-1350Microsoft Windows multiple products91662
CVE-2020-1472Microsoft Windows multiple products91688
CVE-2019-1040Microsoft Windows multiple products91653
CVE-2018-6789Exim before 4.90.150089
CVE-2020-0688Multiple Microsoft Exchange Server50098
CVE-2018-4939Adobe ColdFusion370874
CVE-2015-4852Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.086362, 86340
CVE-2020-2555Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.372345
CVE-2019-3396Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.213459
CVE-2019-11580Atlassian Crowd and Crowd Data Center13525
CVE-2020-10189Zoho ManageEngine Desktop Central before 10.0.474372442
CVE-2019-18935Progress Telerik UI for ASP.NET AJAX through 2019.3.1023372327, 150299
CVE-2020-0601Microsoft Windows multiple products91595
CVE-2019-0803Microsoft Windows multiple products91522
CVE-2017-6327Symantec Messaging Gateway before 10.6.3-26711856
CVE-2020-3118Cisco IOS XR, NCS316792
CVE-2020-8515DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices13730

Detect 25 Publicly Known Vulnerabilities using VMDR

Qualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:

vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]

Using Qualys VMDR, customers can effectively prioritize this vulnerability for “Active Attack” RTI:

Identify Vulnerable Assets using Qualys Threat Protection

In addition, Qualys customers can locate vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.

With VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the “NSA’s Top 25 Vulnerabilities from China” dashboard.

Recommendations

As guided by CISA, to protect assets from exploiting, one must do the following:

  • Minimize gaps in personnel availability and consistently consume relevant threat intelligence.
  • Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.
  • Regular incident response exercises at the organizational level are always recommended as a proactive approach.

Remediation and Mitigation

  • Patch systems and equipment promptly and diligently.
  • Implement rigorous configuration management programs.
  • Disable unnecessary ports, protocols, and services.
  • Enhance monitoring of network and email traffic.
  • Use protection capabilities to stop malicious activity.

Get Started Now

Start your Qualys VMDR trial for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.

References

https://us-cert.cisa.gov/ncas/alerts/aa20-275a

https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting

Show Comments (4)

Comments

Your email address will not be published. Required fields are marked *