Top 25 Vulnerabilities Exploited by Chinese Sponsored Hackers

Updated on June 9, 2022

On June 8, 2022, the CISA, the FBI, and the NSA have issued a joint advisory to warn organizations about Chinese cyber-espionage attacks.  The advisory reveals a list of 16 CVEs exploited by Chinese threat actors. It also stated that the attacks are primarily aimed at telecommunications companies and are conducted by exploiting vulnerabilities. It has also suggested that organizations should take additional mitigation steps to remove such attacks in the initial stage.

The National Security Agency listed 25 vulnerabilities that are being targeted by Chinese state sponsored cyber attackers popularly known as APT41. Know more about these vulnerabilities and patch them before you fall prey to a breach.

We examined 25 vulnerabilities listed in the security advisory and analyzed them for interesting correlations.

Here are our findings –

  • 12 CVEs with RCE capabilities
  • 3 CVEs with Privilege Execution
  • 6 CVEs are associated with APT Groups
  • 1 CVE is associated with Lazarus Malware
  • 4 CVEs are associated with Ransomware
  • 2 CVE’s were called out in our Cyber Risk Series

Among these 25 weaponized, 21 CVEs rank under Top 25 Common Weakness Enumeration (CWE) making them easy to exploit and the rest four CVEs are ranking under Top 30.

Out of 25 vulnerabilities, 18 CVEs have known exploits. Given below are the details.

Table 1: Known Exploits

Our threat researchers analyzed the constant cybercriminal activity related to exploit kits and found two CVEs CVE-2019-19781 and CVE-2019-11510 associated with four exploit kits. We also noticed that older exploit kits such as the RIG exploit kit, Fallout exploits kit are getting upgraded with the newer elements and capabilities.

CVE Number Exploit Kits
CVE-2019-19781 RIG exploit kit, Fallout exploit kit
CVE-2019-11510 Fallout, Spelvo

CVE’s Associated with Ransomware

We also found that four CVEs out of 25 are associated with 21 Ransomware families. Interestingly, these old vulnerabilities range from the year 2019.

S.No CVE Number Ransomware
1 CVE-2019-19781 CLOP
Vatet loader
Golang RansomwareMEGA CORTEX
Dridex 2.0
2 CVE-2019-11510 Black Kingdom
3 CVE-2019-3396 GandCrab
Mega cortex
4 CVE-2019-18935 Netwalker

Table 2: Associated Ransomware

We called out vulnerabilities CVE-2019-19781 and CVE-2019-11510 associated with REvil and Sodinokibi Ransomware in Cyber Risk in Remote Desktop and Cyber Risk in VPN. We red flagged these vulnerabilities as potential gateways for ransomware attacks and we have been proved right.

CWE Analysis of 25 Vulnerabilities

We also analyzed CWE ids and found that CWE-502 was highly targeted by the threat actors followed by CWE-22. CWE-502 categorizes vulnerabilities where the application deserializes untrusted data without verifying the resulting data as valid.

CWE-22 categorizes weaknesses that result in improper limitation of a pathname resulting in a location outside the restricted directory. Both these CWEs find a place in the Top 25 dangerous programming errors.

CWE ID Count  CWE Ranking
CWE-22 3 Top 25
CWE-94 1 Top 25
CWE-20 2 Top 25
CWE-502 4 Top 25
CWE-862 2 Top 25
CWE-119 2 Top 25
CWE-269 1 Top 25
CWE-77 1 31
CWE-295 1 28
CWE-416 1 Top 25
CWE-134 1 NA
CWE-74 1 Top 25

Table 3: CWE Ranking

Vendors Analysis

Notably, Microsoft tops the most affected vendor list exploited by the Chinese hackers. It is followed by Citrix in the second place.

Vendor Count
Microsoft 7
Citrix 4
Oracle 2
Atlassian 2
Pulse Secure 1
F5 1
Zohocorp 1
Telerik 1
Adobe 1
Mobileiron 1
Draytek 1
Cisco 1
Debian 1
Symantec 1

Table 4: Affected Vendors

Most targeted Vulnerability by Threat Actors

Over half of the vulnerabilities are  RCE – the most targeted bug. The attacker executes the code remotely by running malware and gains full access to data, and also carries out a full distributed denial of service.

These products need to be prioritized for immediate patching.  The following CVEs have low severity rating CVE-2020-8193, CVE-2020-8195, CVE-2020-8196, and CVE-2019-1040 with a CVSS Score of below 5.0. Their severity scores make them low priority for security teams which is why these vulnerabilities are routinely weaponized and targeted by malicious groups.

Patches are available for all 25 vulnerabilities. We urge you to patch these immediately and secure your environment.

25 Vulnerabilities & Patches

Table 5: Patches for Exploited Vulnerabilities

Share This Post On