Multiple Agency Threat Alert Issued for Chinese Ministry of State Security Threat Actor Activity
Description
On September 14th, the United States Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigation (FBI), released a joint Technical Alert that has attributed malicious cyber activity to the Chinese government; specifically the Chinese Ministry of State Security (MSS).
The Technical Alert provides in depth analysis of Chinese government activity that has been targeting United States governmental interests using open source exploitation tools and known vulnerabilities. In addition to these attacks, other verticals (including other countries) were observed being targeted, as well. According to the report, these verticals included high-tech manufacturing, medical devices, civil and industrial engineering, business, educational, gaming software, solar energy, pharmaceuticals, and defense sectors in a campaign that lasted for over ten years.
What Other Information was Provided in this Report?
The Technical Alert provided further insight into the TTPs (tactics, techniques and procedures) of Chinese MSS activity, especially reconnaissance efforts used on the targeted organizations. The tactics outlined by this report include determining the attack vector, gathering information about the targets via OSINT (open source intelligence) and the scanning of networks to potentially reveal vulnerabilities and weaknesses to exploit.
According to the report, specific vulnerabilities targeted by Chinese MSS threat actors during the past 12 months were:
CVE-2020-5902: F5 Big-IP Vulnerability
CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances
CVE-2019-11510: Pulse Secure VPN Servers
CVE-2020-0688: Microsoft Exchange Server
Open source penetration testing tools observed used by Chinese MSS threat actors were:
Cobalt Strike
Mimikatz
Custom in house tools attributed to MSS used were:
China Chopper Web Shell
What is the Severity of Impact?
The severity should be regarded as MEDIUM, due to the fact that these campaigns have been observed in limited, targeted attacks.
Any Other Suggested Mitigation and/or Workarounds?
All vendors of affected software mentioned in this advisory have provided patches for known vulnerabilities. If it is deemed that patching is not feasible at this time, it is recommended that a risk assessment be conducted to determine additional mitigation safeguards within an environment. Organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. For additional guidance, please refer to the APPENDIX section which contains links to specific vendor suggestions and mitigation.
What is the status of AV/IPS and Web Filtering coverage?
FortiGuard Labs has coverage in place for the vulnerabilities and exploitation tools mentioned in this technical alert. As this report does not contain specific information such as hashes, this is a general list of signatures for the families of exploitation tools and vulnerabilities listed in the report.
Customers running the latest definition sets are protected by the following (AV) signatures:
Adware/Mimikatz
Riskware/Mimikatz
W32/Mimikatz.A
W32/Mimikatz.A
Riskware/Mimikatz.D
Riskware/Mimikatz.G
Riskware/Mimikatz.G
Riskware/Mimikatz.HF
Riskware/Mimikatz.HE
Riskware/MIMIKATZ64
Customers running the latest definition sets are protected by the following (IPS) signatures:
Backdoor.Cobalt.Strike.Beacon
China.Chopper.Web.Shell.Client.Connection
Post.Exploitation.Credential.Stealer.Mimikatz
CVE-2020-5902
F5.BIG.IP.Traffic.Management.User.Interface.Directory.Traversal
CVE-2019-19781
Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal
CVE-2019-11510
Pulse.Secure.SSL.VPN.HTML5.Information.Disclosure
CVE-2020-0688
MS.Exchange.Validation.Key.ViewState.Remote.Code.Execution
Appendix
Alert (AA20-258A) Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
K52145254: TMUI RCE vulnerability CVE-2020-5902a>
CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability