Chinese Hackers Expanding Global Footprint Exploiting Common Vulnerabilities, Report Says

After the NSA published a list of 25 common vulnerabilities, cybersecurity research firm Check Point found that Chinese hackers have been exploiting them to expand globally

For the last few years, the U.S. intelligence agencies have observed a growth in the number of hacking activities from China, allegedly backed by the Chinese government. Their primary target has been U.S. government networks and businesses. The hackers mostly exploit known vulnerabilities to breach into a network to spy, steal data or plant ransomware to extort money.

Recently, the National Security Agency (NSA) had published a list of 25 vulnerabilities that the hackers were actively exploiting. They consider the Chinese hackers "one of the greatest threats" to U.S. National Security Systems, Department of Defense information networks and U.S. Defense Industrial Base. But as per research by cybersecurity firm Check Point, the U.S. isn't the only target. They have been expanding global footprints steadily.

Cyber attack
Chinese hacker have been targeting easy exploits to break into government and military networks across the world (representational picture) Pixabay

Expanding Global Footprints

Check Point turned to its real-time threat intelligence platform ThreatCloud to understand the global impact of the vulnerabilities listed by the NSA. They found that while the U.S. was the number one target of the Chinese hackers with over 500,000 attacks, Germany, the United Kingdom, Indonesia and the Netherlands were also faced significant cyberattacks.

"Following the NSA report, we wanted to see what's going on worldwide on attacks targeting those vulnerabilities, as those are on high-profile products, such as Microsoft, Adobe, and the majority of them may have a severe impact," Adi Ikan from Check Point's network research and protection team told DarkReading.

The hackers use a range of tactics to break into networks including phishing, brute-force, malware attack and exploiting vulnerabilities. The primary focus in the U.S., as per the research, seems to be more on government and military networks compared to other countries. Ikan said that even government and militaries from Canada, Spain and Denmark have also been targeted.

The U.S. is the most targeted country by Chinese hackers followed by Denmark, the U.K., Indonesia and the Netherlands Check Point

Common Exploits

Ikan said out of the listed vulnerabilities, few were easy to exploit. For example, Atlassian Confluence Server's remote code execution vulnerability (CVE-2019-3396) has been exploited often. He also noted that flaws with severe impacts and issues in high-profile tools were often targeted by hackers.

Apart from that, DrayTek Vigor VPN routers' Command Injection vulnerability (CVE-2020-8515) has also been exploited more often. The other mostly exploited security issue is Microsoft Windows NTLM Authentication Bypass (CVE-2019-1040). It allows a man-in-the-middle bypass the NTLM Message Integrity Check (MIC) protection. The other two Check Point listed in its top five vulnerabilities included Pulse Secure VPN's flaw (CVE-2019-11510) and Citrix's CVE-2019-19781 security issue.

Government and military networks are the most popular target of the Chinese hackers followed by businesses Check Point

The last two vulnerabilities have been widely exploited across the world. Pulse Secure VPN's flaw allows an attacker remote access without any authentication. The hacker can perform an arbitrary file reading to expose passwords. This vulnerability was recently used to target a U.S. government network and the hacker was able to copy data to a mounted hard-drive.

Then there is the flaw in Citrix's Application Delivery Controller and Gateway. It has been widely exploited with the notable one being in a German hospital. As a result of that, a patient died, becoming the first known casualty of a cyberattack. Check Point also noted CVE-2020-5902 being used by the Chinese hackers. This remote code execution vulnerability in F5 BIG-IP proxy devices allows hackers unauthenticated access to the Traffic Management user interface.

For all those vulnerabilities, patches have already been released and intelligence agencies have advised applying the fixes immediately. However, network administrators fail to apply the fixes helping hackers take advantage of the situation.

Related topics : Cybersecurity