The U.S. government warned companies to be on the lookout for attacks launched by state-sponsored Chinese hackers that exploit many widely-known vulnerabilities.
A joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) outlined multiple vulnerabilities that hackers working on behalf of the People's Republic of China have exploited since 2020, including the Log4shell bug, a recent F5 Big IP flaw, and a remote code execution flaw in Atlassian Confluence.
The advisory listed the most popular bugs targeted by Chinese hackers. The list includes last year's ProxyLogon vulnerabilities in Microsoft Exchange Server and an arbitrary file upload bug in VMware vCenter.
"NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks," the advisory read.
"PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques -- some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations."
While most of the vulnerabilities can be addressed by bringing systems up to best practices and automated patching standards, administrators may find that getting machines patched is easier said than done.
LutaSecurity CEO Katie Moussouris noted on Twitter that for many companies, updating code is not a simple matter, and in many cases, administrators are left handling legacy code along with new software.
A decade ago, many tech companies had newer code bases & a chance to rearchitect for security without too much world impact.Now, we see many orgs stuck supporting legacy code long abandoned with no owners left who know which code is load bearing so they don’t touch it for years. KatieMussouris (she/her) (@k8em0) October 7, 2022
In the meantime, CISA noted that Chinese hackers are not only exploiting the vulnerabilities, but also using them as the basis for more extensive attacks. In many cases, CISA notes, the hackers are also taking measures to cover their tracks.
"These state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access," the agency warned.
CISA is urging administrators to update and patch the targeted software as soon as possible. In addition, admins are being asked to wall off unused ports and protocols as well as any obsolete machines that might remain facing the internet.