The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and a coalition of international partners, has unveiled an extensive cybersecurity advisory. This document exposes a global espionage campaign orchestrated by state-sponsored actors from the People’s Republic of China (PRC), targeting critical infrastructure worldwide.
Titled Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System, the 37-page report delves into the tactics, techniques, and procedures (TTPs) employed by these advanced persistent threat (APT) groups. Their primary targets include sectors such as telecommunications, government, transportation, and military infrastructure.
Key Insights from the Advisory:
1. Utilization of MITRE ATT&CK and D3FEND Frameworks: The guide leverages these frameworks to systematically counteract Chinese APTs exploiting known vulnerabilities.
2. Implementation of Robust Security Measures: Recommendations include enforcing management isolation, disabling high-risk features, and mandating strong authentication protocols.
3. Emphasis on Proactive Defense Strategies: The advisory underscores the importance of timely patching, comprehensive logging, and coordinated threat-hunting initiatives.
The advisory identifies cyber actors, referred to by industry as Salt Typhoon and GhostEmperor, active since at least 2021. Their operations aim to exfiltrate data, enabling Chinese intelligence to monitor global communications and movements. Notably, the report links these activities to Chinese technology firms, including Sichuan Juxinhe Network Technology Co. Ltd., alleged to support China’s military and intelligence sectors.
Exploitation of Known Vulnerabilities:
A significant revelation is that these actors do not rely on zero-day exploits. Instead, they achieve success by exploiting publicly known and often unpatched common vulnerabilities and exposures (CVEs). The report urges network defenders to prioritize patching specific vulnerabilities, particularly those affecting devices from Cisco, Palo Alto Networks, and Ivanti.
Highlighted Vulnerabilities:
– CVE-2024-21887: A command injection vulnerability in Ivanti Connect Secure and Ivanti Policy, often exploited alongside CVE-2023-46805 for authentication bypass.
– CVE-2024-3400: An unauthenticated remote code execution (RCE) vulnerability in Palo Alto Networks PAN-OS GlobalProtect, allowing arbitrary file creation leading to OS command injection on firewalls with specific configurations.
– CVE-2023-20273: A post-authentication command injection and privilege escalation flaw in Cisco IOS XE’s web management UI, frequently combined with CVE-2023-20198 to achieve root-level code execution.
– CVE-2023-20198: An authentication bypass vulnerability in Cisco IOS XE’s web UI, enabling unauthorized administrative account creation.
– CVE-2018-0171: A remote code execution vulnerability related to the Smart Install feature in Cisco IOS and IOS XE.
Tactics Employed by Threat Actors:
These adversaries adopt a living off the land approach. After initial access via vulnerable, internet-facing routers or firewalls, they utilize the device’s native tools to deepen their network infiltration. Techniques include modifying access control lists, capturing network traffic to steal credentials, and leveraging on-device Linux containers like Cisco’s Guest Shell to conceal their activities from standard monitoring.
The advisory notes, These actors often modify routers to maintain persistent, long-term access to networks. They establish covert tunnels, reroute traffic to their infrastructure, and meticulously clear logs to evade detection, complicating efforts to identify their presence.
International Collaboration and Recommendations:
This joint advisory is the result of a significant international effort, with contributions from agencies in Australia, Canada, the United Kingdom, New Zealand, Germany, Japan, Italy, and Poland, among others. It provides detailed threat-hunting guidance, urging organizations to:
– Monitor for Unauthorized Changes: Keep an eye out for unexpected configuration alterations, unanticipated network tunnels (e.g., GRE, IPsec), and suspicious use of packet capture tools.
– Audit Virtualized Containers: Examine network devices for unauthorized activities within virtualized containers.
– Verify Software Integrity: Compare firmware and software against vendor-provided hashes to ensure authenticity.
– Implement Robust Logging: Establish comprehensive logging practices and forward logs to a secure, centralized server for analysis.
Mitigation Strategies:
To fortify network infrastructure, the advisory recommends:
– Disabling Unused Ports and Services: Reduce the attack surface by turning off unnecessary features.
– Enforcing Management-Plane Isolation: Separate management functions from user data to enhance security.
– Implementing Strong Credentials: Use unique, complex passwords and enforce multi-factor authentication.
– Disabling Legacy Protocols: Replace outdated protocols like Telnet and SNMPv1/v2 with secure, modern alternatives.
This advisory serves as a critical resource for network defenders, offering strategic guidance and specific indicators of compromise, such as IP addresses used by the actors and YARA rules to detect their custom malware. CISA and its partners strongly urge organizations, especially in the telecommunications sector, to utilize this guide to proactively hunt for malicious activity and strengthen their defenses against this persistent global threat.
