NSA issues advisory against Chinese state-sponsored hackers
Among the 25 vulnerabilities listed in the NSA advisory, numerous were critical and carried a CVSS score either at or close to 10, the highest possible.
The advice of keeping software and hardware patched and updated is more relevant than ever.
The National Security Agency has released an advisory detailing 25 publicly known vulnerabilities that are being scanned or actively exploited by Chinese state-sponsored actors. Some of the vulnerabilities include the "Zerologon" vulnerability (CVE-2020-1472), SIGRed (CVE-2020-1350) and BlueKeep (CVE-2019-0708).
"One of the greatest threats to U.S. National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and Department of Defense (DoD) information networks is Chinese state-sponsored malicious cyber activity," the NSA advisory read. "These networks often undergo a full array of tactics and techniques used by Chinese state-sponsored cyber actors to exploit computer networks of interest that hold sensitive intellectual property, economic, political and military information. Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts."
There were several notable vulnerabilities among the 25 listed, most of which the NSA said could be "exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks." The list included the following:
- CVE-2020-1472: The "Netlogon Elevation of Privilege Vulnerability," a critical elevation of privilege vulnerability, received a Common Vulnerability Scoring System (CVSS) base score of 10.
- CVE-2020-1350: Otherwise known as SIGRed, a critical remote code execution vulnerability. It received a CVSS base score of 10.
- CVE-2019-0708: Another name for the critical BlueKeep remote code execution vulnerability. It was given a CVSS base score of 9.8.
- CVE-2019-11510: A critical arbitrary file disclosure vulnerability involving the Pulse Connect Secure VPN. It received a base CVSS score of 10.
- CVE-2020-5902: A critical remote code execution vulnerability in F5 BIG-IP. It has a CVSS base score of 9.8.
- CVE-2019-19781: A critical arbitrary code execution vulnerability discovered in Citrix Application Delivery Controller (ADC). It has a CVSS base score of 9.8.
- CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196: Authorization bypass vulnerabilities involving Citrix ADC, Gateway and SD-WAN WAN-OP. The first two vulnerabilities have CVSS base scores of 6.5, while the latter has a base score of 4.3.
Jake Olcott, BitSight's vice president of communications and government affairs, praised the NSA advisory.
"This is a remarkable announcement from the NSA, and one that companies everywhere should take notice," Olcott told SearchSecurity. "It's easy for organizations to check whether they are vulnerable, but it's critical to determine whether their supply chain partners are also at risk. We know that foreign adversaries target the supply chain to gain access to sensitive data."
Tenable staff research engineer Satnam Narang said the advisory creates a sense of "déjà vu," as many of the vulnerabilities listed are found in CISA alerts published in the last year.
"The advisory is yet another reminder that cybercriminals are finding more success going after low-hanging fruit. They aren't spending time developing or spending capital to acquire zero-day vulnerabilities to compromise systems," he said. "They're capitalizing on a lack of basic cyberhygiene -- well-known but unpatched vulnerabilities, many of which have proof-of-concept code or exploit scripts available for them."
When asked whether he could offer any insight into why the list was ordered the way it was in the NSA advisory, Narang said, "We can't definitively say why the list was organized in the way it was, but the Pulse Secure vulnerability along with the Citrix ADC/Gateway flaw are two of the most routinely exploited vulnerabilities in 2020, as confirmed in CISA's Top 10 Routinely Exploited Vulnerabilities alert from earlier this year."