Dive Brief:
- State-sponsored threat actors backed by the People’s Republic of China are targeting telecom and network service providers, according to a warning from federal authorities issued Tuesday.
- The FBI, National Security Agency and the Cybersecurity and Infrastructure Security Agency warned that threat actors were attacking small office/home office (SOHO) routers and network attached storage (NAS) devices to use as midpoints for network intrusions.
- Federal authorities said organizations should keep products updated and patched, disable unused ports, disconnect devices that may be compromised and apply multifactor authentication.
Dive Insight:
State-sponsored actors backed by China have been working since 2020 to conduct widespread cyber campaigns that exploit common vulnerabilities and exposures (CVEs), according to the alert.
By exploiting the CVEs, threat actors were able to exploit code against virtual private networks or public facing applications, authorities said. This allows threat actors to avoid using their own distinctive or identifying malware, as long as they acted before targeted organizations updated their own systems.
The threat actors have typically accessed compromised servers, known as hop points, from various China-based internet protocol addresses that pointed to different Chinese internet service providers (ISPs), according to the alert. The servers allow them to access operational email accounts and host C2 domains.
Some of the top network device CVEs involved vendors such as Cisco, Pulse, QNAP and others, according to the alert.
The threat actors have used open-source tools like RouterSploit and RouterScan in order to conduct reconnaissance and vulnerability scanning, according to the alert. The tools aid in the exploitation of routers from providers like Cisco, Fortinet, Netgear and MikroTik, according to the alert.
Once the threat actors identify a Remote Authentication Dial-In User Service (RADIUS), they access credentials used to tap into a Structured Query Language (SQL) database. SQL commands are then used to dump credentials.
Armed with those credentials, threat actors can reroute traffic to infrastructure they command.
Vulnerabilities have previously been used in Pulse Secure devices to target the defense industry.
Cyclops Blink, a Russia-linked botnet, used ASUS routers and WatchGuard firewall appliances to launch attacks. The DOJ announced an operation in April to disrupt the botnet.
Just last month researchers warned of vulnerabilities in network devices.