The Cybersecurity and Infrastructure Security Agency (CISA) published a new advisory warning public and private sector organizations about China-based state-sponsored cyber-attacks against US firms.
The document, jointly released by CISA, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), describes a series of common vulnerabilities and exposures (CVEs) associated with network devices that would have been regularly exploited by the unnamed cyber-actors since 2020.
Such devices included small office/home office (SOHO) routers and Network Attached Storage (NAS) devices, which were exploited to gain extensive and/or persistent access to organizations’ networks, and as a command-and-control (C2) tactic to pivot to other targets.
After successfully gaining access to organizations’ network devices, the actors would have then executed router commands to route, capture and exfiltrate traffic out of the network to actor-controlled infrastructure.
In terms of tools utilized to perpetrate the actions, the cyber-actors would have used a mix of customized toolset and publicly available tools, especially those native to the network environment, in order to obscure their activity and blend into the normal activity of a network.
According to the advisory, the cyber-actors also consistently evolved and have adapted tactics to bypass defenses, modifying their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns.
They would have also often modified and/or removed local log files to eliminate evidence of their activity and evade detection.
A complete list of the aforementioned CVEs and network commands used during the cyber-attacks campaign is available in the advisory’s original text here.
To mitigate the vulnerabilities listed in the advisory, CISA said organizations should apply any available patches to their systems, replace end-of-life infrastructure, and implement a centralized patch management program.
The advisory comes days after the Agency issued a joint statement with the Department of Energy (DoE) warning of attacks against internet-connected uninterruptible power supply (UPS) devices.