US National Security Agency released a list detailing the 25 vulnerabilities most commonly exploited by “government” hacker groups in China. All these vulnerabilities are well known and patches have been released for them long ago. Alas, not all users and companies update their software on time, and exploits are also freely available for these bugs. The NSA notes that many of these problems are exploited not only by Chinese hackers, but are part of the arsenal of ransomware operators, smaller hack groups, and other “government” hackers, including those from Russia and Iran. “Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks,” - NSA Few exploits listed in the Document CVE-2020-5902 : Traffic Management User Interface (TMUI) on proxy servers and F5 BIG-IP load balancers is vulnerable to an RCE bug that allows remote execution of arbitrary code and complete compromise of the device. CVE-2020-8193 , CVE-2020-8195 , CVE-2020-8196 : another set of bugs in gateways and Citrix ADCs. These problems are also dangerous for SDWAN WAN-OP. Vulnerabilities allow unauthenticated access to certain URL endpoints and lead to information disclosure of low privileged users. CVE-2020-15505 : An RCE vulnerability in MobileIron MDM that allows remote attackers to execute arbitrary code and take over remote servers. CVE-2020-1350 (aka SIGRed): RCE vulnerability on Windows Domain Name System servers, which boils down to the fact that they cannot properly process requests. CVE-2020-3118 : A vulnerability found in the Cisco IOS XR Software implementation of the Cisco Discovery Protocol allows an unauthenticated, nearby attacker to execute arbitrary code or force a reboot of a vulnerable device. CVE-2020-8515 : DrayTek Vigor devices allow remote code execution as root (without authentication) using shell metacharacters. You can read more in the following Document Released by media.defense.gov CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.pdf

NSA says Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities

admin

Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities

US National Security Agency released a list detailing the 25 vulnerabilities most commonly exploited by “government” hacker groups in China.

All these vulnerabilities are well known and patches have been released for them long ago. Alas, not all users and companies update their software on time, and exploits are also freely available for these bugs.

The NSA notes that many of these problems are exploited not only by Chinese hackers, but are part of the arsenal of ransomware operators, smaller hack groups, and other “government” hackers, including those from Russia and Iran.

“Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks,” - NSA

Few exploits listed in the Document

CVE-2020-5902 : Traffic Management User Interface (TMUI) on proxy servers and F5 BIG-IP load balancers is vulnerable to an RCE bug that allows remote execution of arbitrary code and complete compromise of the device.
CVE-2020-8193 , CVE-2020-8195 , CVE-2020-8196 : another set of bugs in gateways and Citrix ADCs. These problems are also dangerous for SDWAN WAN-OP. Vulnerabilities allow unauthenticated access to certain URL endpoints and lead to information disclosure of low privileged users.
CVE-2020-15505 : An RCE vulnerability in MobileIron MDM that allows remote attackers to execute arbitrary code and take over remote servers.
CVE-2020-1350 (aka SIGRed): RCE vulnerability on Windows Domain Name System servers, which boils down to the fact that they cannot properly process requests.
CVE-2020-3118 : A vulnerability found in the Cisco IOS XR Software implementation of the Cisco Discovery Protocol allows an unauthenticated, nearby attacker to execute arbitrary code or force a reboot of a vulnerable device.
CVE-2020-8515 : DrayTek Vigor devices allow remote code execution as root (without authentication) using shell metacharacters.

You can read more in the following Document Released by media.defense.gov

CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.pdf