APTs hammering unpatched vulnerabilities

Chinese state-sponsored attackers are placing a heavy reliance on known but commonly unpatched vulnerabilities to “establish a broad network of compromised infrastructure”, a US federal security agency warns.

While previously unknown (zero-day) vulnerabilities and novel exploits usually grab the most headlines, a joint advisory from the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warns that attacking “publicly known” flaws has become a mainstay of Chinese cyber-espionage.

Hit list

The advisory offers a list of network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.

Flaws in small business-focused routers, SSL VPNs, and Network Attached Storage (NAS) devices from the likes of Cisco, Fortinet, Netgear and QNAP feature heavily on the list.

Some of the main attacks in play can achieve remote code execution (RCE) against unpatched systems while others achieve their aims by achieving authentication bypass or privilege elevation.


Catch up on the latest cyber-attack news and analysis


Chinese state-backed attackers are using publicly available exploit codes against virtual private network (VPN) services or public facing applications to hack into major telecommunications companies and network service providers, creating a platform for follow-up attacks.

Hacked systems “serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities”, according to the CISA’s advisory, which builds on previous US intel agency reporting.

By building a network of compromised systems that act as a platform for follow-up assaults, Chinese APTs are hiding or obfuscating the source of attacks, making detection and response more challenging.

Industry experts said that CISA’s latest advisory is designed to hammer home the importance of prompt patching.

Slow patching peril

Andrew Kahl, CEO of BackBox, commented: “Last month CISA released a joint advisory (PDF) that recommended prioritizing the patching of software containing known vulnerabilities.

“These two advisories within a month of each other indicates threat actors are increasingly targeting known vulnerabilities, because they understand many organizations are slow to implement patches.”

Kahl added: “One of the most common vectors for attackers is through known vulnerabilities that otherwise could have been patched. In fact, 87% of organizations have experienced an attempted exploit of an already-known, existing vulnerability.”

Hiding in plain sight

Terry Olaes, director of sales engineering at Skybox, said that CISA’s alert pointed towards a need to adapt enterprise vulnerability remediation strategies to provide better coverage for less severe but actively exploited vulnerabilities.

Prompt triage would help organizations to protect themselves against attacks from a wide range of potential adversaries.

“Cybercriminals are increasingly targeting known vulnerabilities hiding in plain sight and turning them into backdoors to deploy complex attacks that are increasing at record rates,” Olaes said.

“If organizations only rely on conventional approaches to vulnerability management, they may only move to patch the highest severity vulnerabilities first based on the Common Vulnerability Scoring System (CVSS).”

Olaes concluded: “Cybercriminals know this is how many companies handle their cybersecurity, so they’ve learned to take advantage of vulnerabilities seen as less critical to carry out their attacks.”


RELATED Behind the Great Firewall: Chinese cyber-espionage adapts to post-Covid world with stealthier attacks