China: Funds hackers for attacks in the US by exploiting Exchange, Citrix, F5 bugs!

The US government warns of Chinese-funded hackers to carry out attacks in government services, taking advantage of bugs in Microsoft Exchange, Citrix and F5 devices and servers.

More specifically, the CISA and FBI warn that hackers linked to China's Ministry of State Security (MMS) attack US government agencies and private companies, exploiting bugs in publicly exposed systems.

According to a recent indictment by the US Department of Justice, hackers linked to the MSS have targeted various industries in both the US and other countries. Among the industries that have been found in their sights are high-tech manufacturers, manufacturers of medical devices, civil services, educational institutions, pharmaceutical companies as well as the defense of target countries. These are attacks carried out in the context of a campaign which lasted more than ten years. These Chinese-funded hackers acted both for their own benefit and for the benefit of the Chinese MSS.

In their attacks, hackers linked to China search for vulnerable and publicly exposed devices using the search engine Shodan and vulnerability databases, such as CVE (Common Vulnerabilities and Exposure) and NVD (National Vulnerabilities Database).

In accordance with BleepingComputer, CISA has noticed that hackers target bugs in F5, Citrix and Microsoft Exchange Server to obtain access in an organization's network and collect data. According to CISA, the most notable Exchange, Citrix and F5 bugs that have been targeted by hackers are the following:

• CVE-2020-5902: Bug on Big-IP F5 - This bug allows a remote intruder to access the TMUI (Traffic Management User Interface) of the BIG-IP application delivery controller (ADC) without authentication, as well as to proceed with remote execution code.
• CVE-2019-19781: Citrix VPN Appliances - Bugs on Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP allow unauthorized intruders to execute remote commands to gain access to a network.
• CVE-2020-0688: Microsoft Exchange Server - This bug is present in the Exchange Control Panel (ECP) component and is caused by Exchange failing to generate unique cryptographic keys during installation. Once exploited, intruders can execute remote code execution (RCE) on server with system privileges.

In addition, once a network is compromised, Chinese-funded hackers download a set of tools that allow them to gain further access to computers on the compromised network. According to CISA, hackers usually download specific tools to enhance their attacks. Some of them are the following:

Cobalt Strike: Cobalt Strike is a legitimate opponent simulation platform intended for use by professionals security, to evaluate the security of a network. Hackers use crafted URIs as part of their attacks to backdoor access to compromised systems and to develop additional tools on the target network.

China Chopper Web Shell: This tool allows hackers to install PHP, ASP, ASPX, JSP and CFM webshells (backdoor) on publicly exposed web servers. Once the China Chopper Web Shell is installed, hackers gain full access to a remote server through the exposed site.

Mimikatz: Mimikatz is a tool that allows hackers to steal Windows credentials stored in the memory of a computer. This tool is commonly used by hackers, along with features ransomware, to gain access to admin credentials and violate their domain controllers Windows.

Using the above three tools, hackers can spread from a compromised system to other devices, until they gain full control of the targeted network. In addition, CISA warns that hackers are exploiting the Microsoft Exchange CVE-2020-0688 RCE bug to collect emails from exchange servers located in Federal Government environments.

Therefore, the CISA and the FBI recommend that agencies monitor their infrastructure on a daily basis and update their management plans. They are also advised to regularly check configuration programs to ensure that they can monitor and mitigate emerging threats. Thus, they will prevent possible "operations" of sophisticated cyber threat agents and will protect their resources and information.