On the evening of June 7, 2022, the United States National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) released a joint advisory detailing the tactics, techniques, and procedures (TTPs) used by unspecified Chinese state-backed threat actors to target unspecified telecommunication and network service organizations and exploit common vulnerabilities in network devices.
According to the advisory, threat actors are using publicly available exploit code to compromise virtual private networks (VPNS) and public-facing applications of network providers. The campaign is reportedly extensive and sophisticated. Threat actors operate compromised servers as hop points from China-based IP addresses and use the servers to host email accounts, command and control (C2) domains, and interact with targeted networks. Federal agencies observed the threat actors monitoring network defender accounts and activities, then modified their approach to conceal their activity.
The attack pattern observed by federal agencies proceeded as follows:
- Threat actors used RouterSploit and RouterScan tools to scan network devices for unpatched vulnerabilities
- After gaining access to a target network, threat actors identified critical users and infrastructure and stole credentials to access- SQL databases, and then used SQL commands to dump plaintext credentials for user and administrator accounts
- Next, threat actors used custom automated scripts to authenticate stolen credentials to network devices via SSH, executed router commands, and saved output
- After capturing the output, threat actors exfiltrated configurations for devices to their own servers
- Threat actors then reentered the targeted network at will and used the access to authenticate and execute router commands to route, capture, and exfiltrate network traffic to their own servers
RH-ISAC members should implement regular patching and configuration checks for network devices to defend against similar attacks. Common vulnerability exploits (CVEs) are widespread in popular network devices, such as switches and routers used widely by commercial organizations, and are a particularly attractive attack vector for sophisticated threat groups, since access is easy to escalate via automated means like those described in the advisory.
While leaving network devices unpatched is dangerous for any organization, RH-ISAC members that operate in the critical infrastructure space should remain especially vigilant in ensuring their network devices are properly patched and configured on a regular basis. This includes organizations involved in chemical production, critical manufacturing, communications, food production, shipping, aerospace, travel, and technology.
While Chinese-backed threat groups are known to steal proprietary data and intellectual property from major industry leaders in the retail, hospitality, and travel sectors, organizations that operate as part of critical national infrastructure (CNI) as described above are particularly attractive targets to state-back threat actors due to the potential for high impact from compromises.
The joint advisory provided the following mitigations:
- Keep systems and products updated and patched as soon as possible after patches are released. Consider leveraging a centralized patch management system to automate and expedite the process.
- Immediately remove or isolate suspected compromised devices from the network.
- Segment networks to limit or block lateral movement.
- Disable unused or unnecessary network services, ports, protocols, and devices.
- Enforce multi-factor authentication (MFA) for all users, without exception.
- Enforce MFA on all VPN connections. If MFA is unavailable, enforce password complexity requirements.
- Implement strict password requirements, enforce password complexity, change passwords at a defined frequency, and perform regular account reviews to ensure compliance.
- Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures.
- Disable external management capabilities and set up an out-of-band management network.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network.
- Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.
- Ensure that you have dedicated management systems and accounts for system administrators. Protect these accounts with strict network policies.
- Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions.
- Upon responding to a confirmed incident within any portion of a network, response teams should scrutinize network infrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.