While implementing patches is always important, now is an especially good time if your organization has fallen behind. The United States National Security Agency (NSA) put out an official warning that Chinese hacking groups are exploiting 25 different vulnerabilities, including a "significant" one in Java code, according to Bank Info Security. All of the vulnerabilities listed have already been discovered, some years ago.
Call for patching
Because all the vulnerabilities that hackers have been using are already known, IT professionals should be able to stave off most threats by implementing existing patches. In the alert, NSA Cybersecurity Director Anne Neuberger wrote that she understood that it could be hard for cybersecurity professionals to know which patches to prioritize and wanted the published list to serve as a guidepost.
"We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems," said Neuberger, as quoted by the news source.
In addition to patching, the NSA also recommends a set of basic additional security protocols to avoid getting hacked. These include changing passwords on a regular basis, isolating internet-facing services from the rest of your internal network, blocking obsolete protocols and disabling external management capabilities.
According to the NSA, the hackers are mostly targeting data held by the United States Department of Defense, as well as companies in the defense industry. While these China-linked actors seem to be targeting a specific sector, the NSA noted in its warning that all of the exploitation processes being used are available to other actors. As a result, organizations not involved in the defense industry should also patch any of the listed vulnerabilities that they have.
A wide range of threats
According to Bank Info Security, these new threats fit within the recent trend of hackers, especially those that are state-sponsored, using already known vulnerabilities like CVE flaws rather than pursuing zero-day threats. These cybercriminals don't necessarily want to use the time or money to find new vulnerabilities when information about existing ones, such as proof-of-concept code and exploit scripts, already exist.
While none of the listed vulnerabilities are new, they do cover a wide range of programs. Amongst the potentially targeted programs are Citrix VPN appliances, Microsoft Windows Remote and an administrative portal from MobileIron. The common thread between these programs, besides having existing known vulnerabilities, is that they have access points on their web service tools.
According to the source, Oliver Tavakoli, the Chief Technology Officer of the cybersecurity company Vectra, the wide range of programs listed suggests that the NSA spent a large amount of time following this issue before making a public announcement.
"The breadth of products covered by the list of CVEs would indicate that the NSA has curated this list through the observation of many attacks undertaken by these actors… many [attacks] were likely found only after the fact through deep forensic efforts, rather than having been identified while the attacks were active," Tavakoli said, as quoted by Bank Info Security.
The new warning from the NSA is not the first time that the government agency has called out the Chinese government for alleged hacking, according to Bloomberg. In August 2020, the NSA released a statement connecting China to a type of malware called Taidoor that had been used to target U.S. pharmaceutical companies. The threat allowed hackers to access information on potential medical treatments and vaccines for COVID-19.
Both the most recent announcement and previous warnings are part of a growing trend of the NSA announcing some cybersecurity risks publicly. According to Bloomberg, the agency has historically been more "secretive" on the subject of potential threats.
The shortcomings of Java
With state-sponsored cybercriminals more likely than ever to exploit flaws in commonly used code and basic, internet-facing programs, the risk of using a basic code like Java is higher than ever. While Java has been used as an essential building block for many programs, its common use means that it has more known vulnerabilities. This can be seen in the NSA's list of vulnerable programs, which includes F5's Big-IP traffic management use interface. In addition to allowing a hacker to delete files or disable services, the program could allow a hacker to run new pieces of Java code. Using a terminal emulation tool from a trusted company like Inventu Corporation to craft safer software can be one tool in your cybersecurity arsenal to help keep threats at bay.