PRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.
Since 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs). This technique has allowed the actors to gain access into victim accounts using publicly available exploit code against virtual private network (VPN) services [T1133] or public facing applications [T1190]—without using their own distinctive or identifying malware—so long as the actors acted before victim organizations updated their systems.
PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.
These cyber actors are also consistently evolving and adapting tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders’ accounts and actions, and then modifying their ongoing campaign as needed to remain undetected. Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network.
NSA, CISA, and the FBI consider the common vulnerabilities and exposures (CVEs) listed in Table 1 to be the network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.
Table 1: Top network device CVEs exploited by PRC state-sponsored cyber actors
Vendor CVE Vulnerability Type | ||
Cisco | CVE-2018-0171 | Remote Code Execution |
CVE-2019-15271 | RCE | |
CVE-2019-1652 | RCE | |
Citrix | CVE-2019-19781 | RCE |
DrayTek | CVE-2020-8515 | RCE |
D-Link | CVE-2019-16920 | RCE |
Fortinet | CVE-2018-13382 | Authentication Bypass |
MikroTik | CVE-2018-14847 | Authentication Bypass |
Netgear | CVE-2017-6862 | RCE |
Pulse | CVE-2019-11510 | Authentication Bypass |
CVE-2021-22893 | RCE | |
QNAP | CVE-2019-7192 | Privilege Elevation |
CVE-2019-7193 | Remote Inject | |
CVE-2019-7194 | XML Routing Detour Attack | |
CVE-2019-7195 | XML Routing Detour Attack | |
Zyxel | CVE-2020-29583 | Authentication Bypass |