CISA ALERT: Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (https://www.cisa.gov/uscert/ncas/alerts/aa22-279a) with details about the top vulnerabilities used and exploited since 2020 by the People’s Republic of China (PRC) state-sponsored cyber actors to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.
The PRC state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. The majority of the common vulnerabilities and exposures (CVEs) are vulnerable to remote code execution, meaning an adversary could exploit those specific vulnerabilities to gain unauthorized access and take control of an affected system. Many of the known vulnerabilities in this CSA allow the actors to operate in a stealthy manner to gain unauthorized access into sensitive networks. Once they gain unauthorized access inside a network, these actors seek to establish persistence and move laterally to other internally connected networks.
The CSA provides an appendix with a clear, concise description and vulnerable technologies and versions for each CVE; it also provides recommended mitigations and detection methods, if any exist. Some of the actions in this CSA that can help protect networks include:
- Update and patch systems, including those in this CSA and CISA’s known exploited vulnerabilities catalog.
- Use phishing-resistant multi-factor authentication whenever possible.
- Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised.
- Block obsolete or unused protocols at the network edge.
- Upgrade or replace end-of-life devices.
- Move toward the Zero Trust security model.
- Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity.