Threat Signal Report

Multiple Agency Threat Alert Issued for Chinese Ministry of State Security Threat Actor Activity

Description

On September 14th, the United States Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigation (FBI), released a joint Technical Alert that has attributed malicious cyber activity to the Chinese government; specifically the Chinese Ministry of State Security (MSS).

The Technical Alert provides in depth analysis of Chinese government activity that has been targeting United States governmental interests using open source exploitation tools and known vulnerabilities. In addition to these attacks, other verticals (including other countries) were observed being targeted, as well. According to the report, these verticals included high-tech manufacturing, medical devices, civil and industrial engineering, business, educational, gaming software, solar energy, pharmaceuticals, and defense sectors in a campaign that lasted for over ten years.

What Other Information was Provided in this Report?

The Technical Alert provided further insight into the TTPs (tactics, techniques and procedures) of Chinese MSS activity, especially reconnaissance efforts used on the targeted organizations. The tactics outlined by this report include determining the attack vector, gathering information about the targets via OSINT (open source intelligence) and the scanning of networks to potentially reveal vulnerabilities and weaknesses to exploit.

According to the report, specific vulnerabilities targeted by Chinese MSS threat actors during the past 12 months were:

CVE-2020-5902: F5 Big-IP Vulnerability

CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances

CVE-2019-11510: Pulse Secure VPN Servers

CVE-2020-0688: Microsoft Exchange Server

Open source penetration testing tools observed used by Chinese MSS threat actors were:

Cobalt Strike

Mimikatz

Custom in house tools attributed to MSS used were:

China Chopper Web Shell

What is the Severity of Impact?

The severity should be regarded as MEDIUM, due to the fact that these campaigns have been observed in limited, targeted attacks.

Any Other Suggested Mitigation and/or Workarounds?

All vendors of affected software mentioned in this advisory have provided patches for known vulnerabilities. If it is deemed that patching is not feasible at this time, it is recommended that a risk assessment be conducted to determine additional mitigation safeguards within an environment. Organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. For additional guidance, please refer to the APPENDIX section which contains links to specific vendor suggestions and mitigation.

What is the status of AV/IPS and Web Filtering coverage?

FortiGuard Labs has coverage in place for the vulnerabilities and exploitation tools mentioned in this technical alert. As this report does not contain specific information such as hashes, this is a general list of signatures for the families of exploitation tools and vulnerabilities listed in the report.

Customers running the latest definition sets are protected by the following (AV) signatures:

Adware/Mimikatz

Riskware/Mimikatz

W32/Mimikatz.A

Riskware/Mimikatz.D

Riskware/Mimikatz.G

Riskware/Mimikatz.HF

Riskware/Mimikatz.HE

Riskware/MIMIKATZ64

Customers running the latest definition sets are protected by the following (IPS) signatures:

Backdoor.Cobalt.Strike.Beacon

China.Chopper.Web.Shell.Client.Connection