The United States Cybersecurity and Infrastructure Security Agency (CISA) has published a document that details how Chinese government affiliated hackers can compromise IT systems across a wide range of industries and official organisations with relative ease.
CISA with the help of the US Federal Bureau of Investigation said [pdf] they have observed that hackers acting for China’s Ministry of State Security use readily available information and open source tools to identify and attack misconfigured or unpatched systems.
The information and tools are found in code repositories such as Github and Exploit-DB, where they are legitimately published for development and penetration testing purposes.
The tools include the Cobalt Strike set of pentesting utilities, the China Chopper webshell, and Mimikatz account credentials capturing program, CISA said.
Commercial tools were also used by the Chinese MSS hackers, who also turn to scanning sites such as Shodan.io to find vulnerable systems.
The state-sponsored threat activity methodology has been observed for over a decade now, and CISA analysts note that the hackers are quick to target vulnerabilities within days of their disclosure.
Recent well-published severe vulnerabilities that have been exploited by the Chinese hackers include those affecting F5 Big-IP firewalls and load balancers, Citrix and Pulse Secure virtual private networks, and Microsoft Exchange messaging servers, CISA said.
Since it is easy for hackers to quickly mount low-complexity attacks against networks with low security posture, CISA and the FBI recommend that organisations place an increased priority on patching routinely exploited vulnerabilities.
“Maintaining a rigorous patching cycle continues to be the best defence against the most frequently used attacks,” CISA wrote.
“If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,” the cybersecurity agency added.