Analyst Corner
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Risk & Compliance
Threat Landscape
Vulnerabilities

US agencies warn of PRC state-sponsored hackers carrying on telecommunications, network service providers targeting

June 08, 2022
US agencies warn of PRC state-sponsored hackers carrying on telecommunications, network service providers targeting

U.S. cybersecurity agencies published Tuesday a joint Cybersecurity Advisory outlining the ways in which People’s Republic of China (PRC) state-sponsored hackers continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. The advisory identified that these PRC state-sponsored hackers frequently utilize open-source tools for reconnaissance and vulnerability scanning, and use the network to exploit various targets worldwide, including public and private sector organizations. The notice details the targeting and compromise of major telecommunications companies and network service providers. 

“It builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal, and territorial (SLTT) government; critical infrastructure (CI), including the Defense Industrial Base (DIB); and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs),” according to the joint advisory coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). 

The advisory also identified those top vulnerabilities, primarily Common Vulnerabilities and Exposures (CVEs), associated with network devices that have been routinely exploited by cybercriminals since 2020. In March, the FBI warned the U.S. energy sector about network scanning activity stemming from multiple Russia-based IP addresses. The activity was believed to be associated with cyber hackers ‘who previously conducted destructive cyber activity against foreign critical infrastructure.’

Last month, SentinelLabs researchers announced tracking the activity of a Chinese-aligned cyberespionage hacker group operating in Central Asia, dubbed ‘Moshen Dragon,’ targeting the telecommunication sector. Some of the activity partially overlaps with threat groups tracked by other vendors, such as RedFoxtrot and Nomad Panda.

In wake of the rising threat levels, the agencies urged the U.S. and allied governments, the critical infrastructure sector, and private industry organizations to mitigate the vulnerabilities by applying the available patches to their systems, disabling unnecessary ports and protocols, replacing end-of-life infrastructure, and implementing a centralized patch management program. 

The advisory said that the PRC state-sponsored cyber hackers readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. 

“Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices,” the agencies said in the advisory. “In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.”

Since 2020, PRC state-sponsored cyber hackers have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs). The technique has allowed the hackers to gain access to victim accounts using publicly available exploit code against virtual private network (VPN) services or public-facing applications, without using their own distinctive or identifying malware, so long as the hackers acted before victim organizations updated their systems. 

PRC state-sponsored cyber hackers typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs), according to the advisory. “The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks,” it added.

These hackers are also consistently evolving and adapting tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber hackers monitoring network defenders’ accounts and actions, and then modifying their ongoing campaign as needed to remain undetected, the advisory said. 

Cyber hackers have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. PRC state-sponsored cyber hackers often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network, it added.

The joint advisory found that PRC state-sponsored hackers have utilized open-source router-specific software frameworks, RouterSploit and RouterScan, to identify makes, models, and known vulnerabilities for further investigation and exploitation. The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. RouterScan is an open-source tool that easily allows for the scanning of IP addresses for vulnerabilities. These tools enable the exploitation of SOHO and other routers manufactured by industry providers, including Cisco, Fortinet, and MikroTik.

Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored hackers have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting, the agencies said. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber hackers gained credentials to access the underlying Structured Query Language (SQL) database and utilized SQL commands to dump the credentials, which contained both cleartext and hashed passwords for user and administrative accounts, it added. 

Having gained credentials from the RADIUS server, PRC state-sponsored hackers used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output. These scripts targeted Cisco and Juniper routers and saved the output of the executed commands, including the current configuration of each router. 

The advisory confirmed that after successfully capturing the command output, these configurations were exfiltrated off-network to the actor’s infrastructure. “The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network,” it added.

Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the hackers returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure.

The PRC state-sponsored hackers also utilized command-line utility programs like PuTTY Link (Plink) to establish SSH tunnels between internal hosts and leased virtual private server (VPS) infrastructure. “These actors often conducted system network configuration discovery on these host networks by sending hypertext transfer protocol (HTTP) requests to C2 infrastructure in order to illuminate the external public IP address,” the advisory said.

The cybersecurity agencies called upon organizations to disable external management capabilities and set up an out-of-band management network, isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network and enable robust logging of Internet-facing services and monitor the logs for signs of compromise. 

Additionally, enterprises must ensure dedicated management systems for system administrators, which must be protected with strict network policies. They must also enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions.

Last week, an advisory was issued that provides information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. The hackers have employed various tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. The agencies also provided some recommended actions to mitigate the cyber threats.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Sprinting Toward NIS2 Compliance
Sprinting Toward NIS2 Compliance
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet's FortiClient EMS
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet’s FortiClient EMS
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts