Back on October 20, 2020, the United States National Security Agency (NSA) published a cybersecurity advisory about Chinese state-sponsored malicious cyber activity. This post we will be covering 5 of those vulnerabilities.
“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts,” said the NSA advisory. It also recommended “critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage.”
1. Draytek Vigor Command Injection (CVE-2020-8515)
A critical vulnerability (CVSS base score of 9.8) in various versions of DrayTek Vigor, a series of VPN routers.
2. Microsoft Windows NTLM Authentication Bypass (CVE–2019–1040)
A vulnerability (CVSS base score of 5.8) in various Microsoft Windows versions.
3. Citrix Multiple Products Directory Traversal (CVE–2019–19781)
A critical vulnerability (CVSS base score of 9.8) in Citrix Application Delivery Controller (ADC) and Citrix Gateway
4. Pulse Connect Secure File Disclosure (CVE-2019-11510)
A critical vulnerability (CVSS base score of 10) in Pulse Connect Secure, the SSL VPN solution of Pulse Secure.
5. F5 BIG-IP Remote Code Execution (CVE–2020–5902)
A critical vulnerability (CVSS base score of 9.8) in various versions of BIG-IP, popular F5 products.
Qualys VMDR Detection
CISA recommends the following to protect assets from exploiting:
- Minimize gaps in personnel availability and consistently consume relevant threat intelligence.
- Keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.
- Regular incident response exercises at the organizational level are always recommended as a proactive approach.
Remediation and Mitigation
- Patch systems and equipment promptly and diligently.
- Implement rigorous configuration management programs.
- Disable unnecessary ports, protocols, and services.
- Enhance monitoring of network and email traffic.
- Use protection capabilities to stop malicious activity.