25 vulnerabilities exploited by Chinese state-sponsored hackers

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.

vulnerabilities exploited Chinese hackers

“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.

The list of vulnerabilities exploited by Chinese hackers

The list is as follows:

The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.

Mitigations are also available

If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:

  • Disabling external management capabilities and setting up an out-of-band management network
  • Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
  • Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
  • Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise

The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.

Additional “most exploited vulnerabilities” lists

Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.

Admins and network defenders are encouraged to peruse them and patch those flaws as well.

Microsoft and partners cut off key Trickbot botnet infrastructure

Two weeks after someone (allegedly the US Cyber Command) temporarily interrupted the operation of the infamous Trickbot botnet, a coalition of tech companies headed by Microsoft has struck a serious blow against its operators.

Trickbot botnet

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” shared Tom Burt, corporate VP, Customer Security and Trust, Microsoft.

About Trickbot and the Trickbot botnet

Trickbot, which dates back to 2016, was originally a banking trojan, but due to its modular nature it is now capable of much more: gathering saved and entered credentials, browser histories, network and system information, installing a backdoor, harvesting email addresses, running various commands on a Windows domain controller to steal Active Directory credentials, launching brute force attacks against selected Windows systems running a RDP connection exposed to the Internet, and downloading and loading ransomware on the infected computer.

The malware is often delivered through spam and spear phishing campaigns, and occasionally through the Emotet botnet.

“In recent times, Trickbot has been implicated in targeted ransomware attacks, where credentials stolen by the malware were used by the Ryuk ransomware operators to compromise victims’ networks and encrypt all accessible computers. This assessment has been confirmed by Europol, which recently noted that ‘the relationship between Emotet [another botnet], Ryuk and Trickbot is considered one of the most notable in the cybercrime world’,” Symantec (Broadcom) researchers noted.

“Trickbot has infected over a million computing devices around the world since late 2016. While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives,” Burt explained, and noted that beyond infecting end user computers, Trickbot has also infected a number of IoT devices, such as routers.

Disruption attempts

Since late September, Trickbot has been hit twice by (then-unknown) attackers.

According to Brian Krebs, they first pushed out a new configuration file to Windows computers infected with Trickbot, instructing them to consider 127.0.0.1 (a “localhost” address) their new control server.

A week later, they did it again, but at the same time, “someone stuffed the control networks that the Trickbot operators use to keep track of data on infected systems with millions of new records,” apparently in an attempt to “dilute the Trickbot database and confuse or stymie the Trickbot operators.”

These efforts, which were subsequently revealed to have been mounted by the US Cyber Command, did not permanently affect the botnet.

But the technical and legal efforts lead by Microsoft and supported by FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Broadcom’s Symantec division are expected to considerably affect the botnet’s operation.

After gathering enough information about the botnet’s operation and C&C servers, Microsoft went to the United States District Court for the Eastern District of Virginia, which then court granted approval for Microsoft and partners to “disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.”

The operation will be followed by further action by ISPs and CERTs around the world, who will attempt to reach Trickbot victims and help them remove the malware from their systems.

“This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place,” Burt pointed out.

“While our work might not remove the threat posed by TrickBot, it will raise the cost of doing business for the criminal gang behind the botnet because they will be forced to divert resources away from exploitation activities in order to rebuild the parts of their infrastructure that we disrupted,” the Black Lotus Labs team noted.