NSA Releases list of what Chinese Hackers are Hacking Right Now

The U.S. National Security Agency (NSA) recently published a list of the top publicly known vulnerabilities Chinese state-sponsored hackers exploit, several of which affect Microsoft and Citrix users. While many assume hackers are targeting government agencies, the truth is these vulnerabilities can affect even the smallest of businesses. As a small or medium business, it’s important to address known vulnerabilities and quickly take steps to mitigate the risks your company faces.

Prioritizing security efforts

Any breach of your data or interruption of services can come with severe, and costly, consequences. The NSA recommends all organizations patch known vulnerabilities immediately to protect against bank fraud, data theft, and ransomware attacks.

“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” NSA Cybersecurity Director Anne Neuberger said in a press release.

The agency went on to state it hoped by sharing the top vulnerabilities China is “actively using to compromise systems,” security professionals can learn actionable information about prioritizing their security efforts.

Vulnerabilities affecting Citrix and Microsoft users

Out of the 25 top vulnerabilities Chinese state-sponsored hackers are manipulating, these are weaknesses that directly target Citrix and Microsoft users:

• CVE-2019-19781: A path traverse vulnerability found in the Citrix Application Delivery Controller (ADC) and Gateway directory can open up hackers to execute code remotely without credentials.
• CVE-2019-0708: A remote code execution vulnerability found in Microsoft’s Remote Desktop Services allows unauthenticated attackers to connect and send “specially crafted” requests.
• CVE-2019-1040: A weakness found in Microsoft Windows NTLM allows hackers to tamper with Windows’ OS built-in security and reduce its effectiveness enabling them to engage in credential access and bypassing other safeguards.
• CVE-2020-8193 CVE-2020-8195 CVE-2020-8196: These vulnerabilities, found in several Citrix systems, allow unauthenticated users to gain access to certain URL endpoints and information disclosure to low-privileged users.
• CVE-2020-1350: This weakness, affecting Windows’ Domain Name System (DNS), enables attackers to remotely execute code when servers fail to properly handle requests.
• CVE-2020-0688: A flaw in Microsoft Exchange that allows authenticated users to remotely execute code due to the software failing to properly handle objects in memory.
• CVE-2020-0601: A vulnerability in Windows CryptoAPI enables attackers to exploit the system by using a spoofed code-signing certificate to sign a malicious executable to make it appear the file was signed by a legitimate and trusted company.
• CVE-2019-0803: An “elevation of privilege” weakness exists in Windows when the Win32k component fails to properly handle objects in memory.

Of the 25 vulnerabilities, seven can be used by bad actors to gain remote access to internal systems where they can gain entry to privileged access, which makes fixing these a priority. Not mitigating these and other weaknesses can result in the exposure of sensitive data, including intellectual property and other proprietary information.

Routine steps businesses should take to safeguard themselves

In addition to addressing vulnerabilities with swift action by following their recommendations, businesses should routinely take steps to safeguard themselves against bad actors:

• Consistently apply vendor-released updates and patches to systems and applications as soon as possible.
• Block any obsolete or unused protocols at the network edge, and disable any unnecessary in device configurations not needed for your operations.
• Disable external management capabilities, along with establishing an out-of-band management network.
• Actively monitor network logs for signs of compromise or unauthorized entry.
• Enable robust logging of internet-facing services.
• Immediately deactivate unused employee profiles.

It’s also critical to understand patching doesn’t alleviate any previous unauthorized access. This makes it essential to establish protocols for users to routinely change their passwords and create strong passwords. Statistics suggest 61% of businesses’ don’t require password complexity and 39% don’t provide their staff with proper password training. A recent statistic shared by Verizon found roughly 80% of all breaches are traced back to weak passwords and compromised credentials.

The full NSA announcement of the top 25, along with the specific mitigations you can take for each vulnerability, can be viewed here.

Cyber Security – Cyber Crime flickr photo by perspec_photo88 shared under a Creative Commons (BY-SA) license