Several U.S. government agencies recently revealed that China-backed threat actors have targeted and infiltrated key telecommunications and network service providers with the objective of stealing credentials and harvesting data.
According to a joint cybersecurity alert released on Tuesday by the NSA, CISA, and the FBI, Chinese hacker gangs have used publicly known vulnerabilities to infiltrate anything from unsecured small office/home office (SOHO) routers to medium and even big business networks. Once the devices were infiltrated, the threat actors employed them as command-and-control servers and proxy systems to break into other networks as part of their attack architecture.
“Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting,” explains the advisory.
After stealing credentials to access underlying SQL databases, the hackers then used SQL commands to dump user and admin credentials from crucial Remote Authentication Dial-In User Service (RADIUS) servers. According to the three federal authorities, the following common vulnerabilities and exposures (CVEs) have been most commonly exploited by Chinese-backed state hackers since 2020.
“The PRC has been exploiting specific techniques and common vulnerabilities since 2020 to use to their advantage in cyber campaigns,” the NSA added.
Chinese-sponsored threat actors have created large infrastructure networks due to exploiting these vulnerabilities, allowing them to infiltrate an even broader spectrum of public and private sector targets. The CISA, NSA, and FBI are also urging the U.S. and allied governments, critical infrastructure, and private business entities to implement a set of mitigation steps to help reduce the likelihood of similar cyberattacks infiltrating their networks.
According to federal agencies, security updates should be applied as quickly as feasible, unneeded ports and protocols should be disabled to reduce the attack surface, and end-of-life network infrastructure that no longer gets security patches should be replaced. Segmenting networks to prevent lateral movement and allowing strong monitoring of internet-exposed services to identify attack attempts as soon as feasible are also recommended.
This joint warning follows two previous exchanged information on Chinese state-sponsored hackers’ tactics, techniques, and procedures (TTPs) employed in their cyberattacks (in 2021) and publicly known vulnerabilities exploited in their attacks (in 2020).