The National Security Agency issued an advisory warning that adversaries connected to China are targeting national security systems and noted specific areas and vulnerabilities defenders should focus on based on tactics they’ve recently observed.
“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” NSA Cybersecurity Director Anne Neuberger said in a press release Tuesday. “We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.”
Government officials at the Cybersecurity and Infrastructure Security Agency and the FBI have previously called attention to the use of known vulnerabilities by China and other actors. NSA officials hope that specifically calling out the tactic as one of state-sponsored adversaries from China will spur target organizations to do what’s necessary to protect themselves.
“We are releasing this now to emphasize the importance of mitigating these [Common Vulnerability Enumerations],” Neuberger said in a statement to Nextgov. “While these vulnerabilities are already public, they’re still being successfully leveraged by malicious cyber actors, highlighting the need for [national security systems, Department of Defense and defense industrial base] system owners and the broader community to take action.”
Among 25 vulnerabilities NSA described, seven of them could be used to gain remote access to internal systems, making them priorities for mitigation.
“Remote access systems serve as gateways from the internet into internal networks, often offering immediate, highly privileged access to attackers,” according to an infographic the NSA released with the advisory.
Lower in the risk profile, but with just as many vulnerabilities, was a category of weaknesses that could be used to exploit internal servers. These servers typically house an organization’s intellectual property or other crown jewels.
Other vulnerabilities listed could be used to exploit mobile device management by distributing malicious apps, for example; access to directories to elevate or otherwise manipulate credentials; public facing servers, which could allow attackers to pivot to internal networks by getting around web authentications; user workstations to establish a base for further exploration; and network devices, which can be used to inject malicious links in network traffic.
“Many of the vulnerabilities listed can be used to gain initial access to victim networks by exploiting products that are directly accessible from the Internet. Other vulnerabilities enable further exploitation of a network once cyber actors have a presence within the network,” reads an NSA factsheet on the advisory. “Exploiting a combination of these vulnerabilities can be particularly effective for cyber actors and problematic for network defenders.”
Some of the vulnerabilities come with tailored mitigations, but generally, the NSA’s first piece of advice is to apply patches for systems or products as soon as possible after they’re released.
However, the NSA notes, defenders should “expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching.” This is where it would be good to change passwords and review account access, the advisory said.
The NSA said organizations should also “disable external management capabilities and set up an out-of-band management network; block obsolete or unused protocols at the network edge and disable them in device configurations; isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network; and enable robust logging of Internet-facing services and monitor the logs for signs of compromise.”