China is Exploiting Vulnerabilities in Widely Used Home-Office Devices, U.S. Agencies Warn

A new advisory from top federal security and law enforcement agencies warns that state-sponsored cyber actors from the People’s Republic of China (PRC) are exploiting vulnerabilities in commonly used network devices to data from major telecommunications providers. Notably, the attacks are not being aimed directly at large enterprises but the endpoints of home-based offices and small businesses. 

Issued June 7 by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI, the advisory identified 16 common vulnerabilities and exposures (CVEs) linked to products manufactured by leading network vendors, including Cisco, Citrix, D-Link, and Netgear. The state-sponsored actors target telecommunications providers’ Remote Authentication Dial-In User Service (RADIUS) servers. Using SQL commands, the actors seek the usernames and passwords of the providers’ customers among other goals.

This is a particularly significant advisory given the upsurge in home-office usage due to the pandemic. The devices in question can be manipulated using SQL commands in order to ultimately dump usernames and passwords.

The intrusions, according to the federal agencies, are executed by accessing compromised servers called “hop points” from Chinese IP addresses hosted by Chinese ISPs. With the compromised servers, the state-sponsored actors register email accounts, host C2 domains, and interact with the victim networks. The attackers watch the defenses employed by network defenders’ accounts, then modify their actions to remain undetected.

The Top 16 devices Targeted by PRC Threat Actors

The advisory lists the network device CVEs most often exploited since 2020 by the PRC actors, identifying the vendor, CVE, and vulnerability type. They are:

Security experts report that D-Link has the most products affected by the CVEs (15). That may be a particular problem because some of these products have reached end-of-life – meaning no patches are being created to address the issue. You’ll want to make sure that your organization has upgraded or replaced any such products.

Still, it may not be enough to stop at patching the listed devices for the CVEs identified in the advisory. There are other known exploits for these devices. As such, security teams should access information about these CVEs and use threat-likelihood calculations to determine the order of remediation.

What About CVEs Without Known Exploits?

The other factor to consider is that while there are tens of thousands of CVEs in which exploits are known to exist, there are even more that may be being exploited without public knowledge of such.

That’s why the combination of vulnerability awareness and threat intelligence is so essential in reducing risk. Some of the threat intelligence can be gained by staying connected with online communities that share knowledge of emerging threats. And beyond such methods, more fully integrated and automated threat intelligence information can be gained through tools such as the risk-based vulnerability management (RBVM) applications that NopSec offers. Among other applications, NopSec’s RBVM Core, RBVM Container and RBVM Config help you ingest data from your network and combine it with threat intelligence sources to determine which assets and software is at risk and how to prioritize your actions.

We would welcome a chance to talk to you about how to introduce NopSec into your infrastructure to gain access to this critical information without overwhelming your organization. As we say, the path to cybersecurity maturity is a long one. Let us help you take the steps that are right for you and your company.