US agencies accuse China of attacking telcos and network providers

By on
US agencies accuse China of attacking telcos and network providers

Admins leave too many vulns unpatched, say NSA, CISA and FBI.

United States government agencies have issued a joint cybersecurity advisory warning that state-sponsored Chinese threat actors are exploiting public vulnerabilities to establish a broad network of compromised infrastructure.

The advisory by the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation highlights how Chinese hackers have targeted and compromised major telco and network providers.

The NSA, CISA and FBI say the activity has been taking place since 2020, and continues to strike both public and private sector targets.

The agencies say Chinese hackers are exploiting vulnerabilities in unpatched network devices, such as SoHo routers and network attached storage devices, to create ingress points to route command and control traffic and act as midpoints for intrusion activities elsewhere.

Telcos and network providers are targetted with RouterSploit and RouterScan software to identify devices with known vulnerabilities for further investigation and exploitation, the agencies said.

In one case, the Chinese state-sponsored attackers found a critical Remote Authentication Dial-In User Service (RADIUS) server from which they were able to dump a database with user credentials.

With the captured credentials at hand, the hackers ran custom scripts and execute router commands on Cisco and Juniper devices on medium to large networks.

Of the common vulnerabilities and exposures listed by the three US agencies as abused by China, NAS vendor QNAP has the most with four from 2019.

Cisco has four remote code execution CVEs listed, one from 2018 and three from 2019 respectively.

Netgear has the dubious honour of being listed with the oldest CVE, 2017-6862, which can be used by attackers for remote code execution without authentication on some of the vendor's routers, a vulnerability that has been patched.

Other vendors the CVE top ten list include Citrix, DrayTek, D-Link, Fortinet, MikroTik, Pulse, and Zyxel.

Apart from applying patches as soon as they're available, the agencies say to segment networks, and to disable unnecessary ports and protocols.

Replacing end-of-life infrastructure is also recommended, along with a centralised patch management system, the three advised.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Log In

  |  Forgot your password?