Chinese state-sponsored hackers have been exploiting publicly-known vulnerabilities to compromise major telecommunications companies and network service providers.
In a joint cybersecurity advisory, the NSA, CISA, and the FBI say that attackers have breached networks from small office/home office (SOHO) routers right up to medium and large enterprise networks, using open source tools such as RouterSploit and RouterScan to identify devices with known vulnerabilities.
“The PRC has been exploiting specific techniques and common vulnerabilities since 2020 to use to their advantage in cyber campaigns,” they warn.
“Exploiting these vulnerabilities has allowed them to establish broad infrastructure networks to exploit a wide range of public and private sector targets.”
Compromised devices are used as additional access points to route command and control traffic and act as midpoints to breach yet more networks, spying on the traffic and stealing data.
“These devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of internet-facing services and endpoint devices,” the advisory reads.
The 16 most concerning vulnerabilities date back to between 2017 and April last year and, say the agencies, have been comparatively easy to exploit.
In one attack, hackers identified a critical Remote Authentication Dial-In User Service (RADIUS) server, then gained credentials to access the underlying Structured Query Language (SQL) database. They then used SQL commands to dump the credentials, which contained both cleartext and hashed passwords for user and administrative accounts.
The credentials were then used with custom automated scripts to establish the current configuration of each router; the attackers could then successfully authenticate and execute router commands to route, capture, and steal data.
Unsurprisingly, the agencies are urging potential victims – including US and allied governments, critical infrastructure providers, and private industry – to apply mitigation measures. These include frequent patching, multifactor authentication, network segmentation and disabling unused or unnecessary network services, ports, protocols, and devices to reduce the attack surface.
However, they warn, organizations will need to stay on the ball.
“NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders’ accounts and actions, and then modifying their ongoing campaign as needed to remain undetected,” they say.
“Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns.”
Indeed, it’s more than possible that the release of this advisory may unfortunately have the same effect.