{"id":7386,"date":"2020-11-06T11:52:33","date_gmt":"2020-11-06T18:52:33","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7386"},"modified":"2023-04-20T02:35:50","modified_gmt":"2023-04-20T09:35:50","slug":"top-25-exploited-vulnerabilities-by-chinese-sponsored-hackers","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/top-25-exploited-vulnerabilities-by-chinese-sponsored-hackers\/","title":{"rendered":"Top 25 Vulnerabilities Exploited by Chinese Sponsored Hackers"},"content":{"rendered":"<p dir=\"ltr\">On June 8, 2022, the CISA, the FBI, and the NSA have issued a <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-158a\">joint advisory<\/a> to warn organizations about Chinese cyber-espionage attacks.\u00a0 The advisory reveals a list of 16 CVEs exploited by Chinese threat actors. It also stated that the attacks are primarily aimed at telecommunications companies and are conducted by exploiting vulnerabilities. It has also suggested that organizations should take additional mitigation steps to remove such attacks in the initial stage.<\/p>\n<blockquote><p>The National Security Agency listed 25 vulnerabilities that are being targeted by Chinese state sponsored cyber attackers popularly known as APT41. Know more about these vulnerabilities and patch them before you fall prey to a breach.<\/p><\/blockquote>\n<p dir=\"ltr\">We examined 25 vulnerabilities listed in the security advisory and analyzed them for interesting correlations.<\/p>\n<p dir=\"ltr\">Here are our findings &#8211;<\/p>\n<ul dir=\"ltr\">\n<li role=\"presentation\">12 CVEs with RCE capabilities<\/li>\n<li role=\"presentation\">3 CVEs with Privilege Execution<\/li>\n<li role=\"presentation\">6 CVEs are associated with APT Groups<\/li>\n<li role=\"presentation\">1 CVE is associated with Lazarus Malware<\/li>\n<li role=\"presentation\">4 CVEs are associated with Ransomware<\/li>\n<li role=\"presentation\">2 CVE\u2019s were called out in our <a href=\"https:\/\/cybersecurityworks.com\/cyber-risk-series\/\">Cyber Risk Series<\/a><\/li>\n<\/ul>\n<p dir=\"ltr\" role=\"presentation\"><img decoding=\"async\" style=\"height: 359px; width: 550px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/analysis-of-weaponization-piechart(1).png\" alt=\"\" \/><\/p>\n<p dir=\"ltr\">Among these 25 weaponized, 21 CVEs rank under Top 25 Common Weakness Enumeration (CWE) making them easy to exploit and the rest four CVEs are ranking under Top 30.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 338px; width: 550px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/count-of-vulnerabilities-pie-chart(1).png\" alt=\"\" \/><br \/>\nOut of 25 vulnerabilities, 18 CVEs have known exploits. Given below are the details.<\/p>\n<p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrjfj2n3vN72vl2I?backgroundColor=blue&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><strong>Table 1: Known Exploits<\/strong><\/p>\n<p dir=\"ltr\">Our threat researchers analyzed the constant cybercriminal activity related to exploit kits and found two CVEs CVE-2019-19781 and CVE-2019-11510 associated with four exploit kits. We also noticed that older exploit kits such as the RIG exploit kit, Fallout exploits kit are getting upgraded with the newer elements and capabilities.<\/p>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td><strong>CVE Number<\/strong><\/td>\n<td><strong>Exploit Kits<\/strong><\/td>\n<\/tr>\n<tr>\n<td>CVE-2019-19781<\/td>\n<td>RIG exploit kit, Fallout exploit kit<\/td>\n<\/tr>\n<tr>\n<td>CVE-2019-11510<\/td>\n<td>Fallout, Spelvo<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 dir=\"ltr\">CVE&#8217;s Associated with Ransomware<\/h2>\n<p>We also found that four CVEs out of 25 are associated with 21 Ransomware families. Interestingly, these old vulnerabilities range from the year 2019.<\/p>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td><strong>S.No<\/strong><\/td>\n<td><strong>CVE Number<\/strong><\/td>\n<td><strong>Ransomware<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>CVE-2019-19781<\/td>\n<td>CLOP<br \/>\nNOTROBIN<br \/>\nRagnarok<br \/>\nSodinokibi<br \/>\nVatet loader<br \/>\nREVIL<br \/>\nGolang RansomwareMEGA CORTEX<br \/>\nSNAKE<br \/>\nDoppelPaymer<br \/>\nBitpaymer<br \/>\nDridex 2.0<br \/>\nNeifilm<br \/>\nNemty<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>CVE-2019-11510<\/td>\n<td>Black Kingdom<br \/>\nSodinokibi<br \/>\nMaze<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>CVE-2019-3396<\/td>\n<td>GandCrab<br \/>\nLockergoga<br \/>\nMega cortex<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>CVE-2019-18935<\/td>\n<td>Netwalker<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><em><strong>Table 2: Associated Ransomware<\/strong><\/em><\/p>\n<p>We called out vulnerabilities CVE-2019-19781 and CVE-2019-11510 associated with REvil and Sodinokibi Ransomware in <a href=\"http:\/\/cybersecurityworks.com\/resources\/cyber-risk-series\/cyber-risk-in-remote-desktop.html\">Cyber Risk in<\/a> <a href=\"http:\/\/cybersecurityworks.com\/resources\/cyber-risk-series\/cyber-risk-in-remote-desktop.html\">Remote Desktop <\/a>and <a href=\"http:\/\/cybersecurityworks.com\/resources\/cyber-risk-series\/cyber-risk-in-vpn.html\">Cyber Risk in VPN<\/a>. We red flagged these vulnerabilities as potential gateways for ransomware attacks and we have been proved right.<\/p>\n<h2 dir=\"ltr\">CWE Analysis of 25 Vulnerabilities<\/h2>\n<p dir=\"ltr\">We also analyzed CWE ids and found that CWE-502 was highly targeted by the threat actors followed by CWE-22. CWE-502 categorizes vulnerabilities where the application deserializes untrusted data without verifying the resulting data as valid.<\/p>\n<p dir=\"ltr\">CWE-22 categorizes weaknesses that result in improper limitation of a pathname resulting in a location outside the restricted directory. Both these CWEs find a place in the Top 25 dangerous programming errors.<\/p>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td><strong>CWE ID<\/strong><\/td>\n<td><strong>Count\u00a0<\/strong><\/td>\n<td><strong>CWE Ranking<\/strong><\/td>\n<\/tr>\n<tr>\n<td>CWE-22<\/td>\n<td>3<\/td>\n<td>Top 25<\/td>\n<\/tr>\n<tr>\n<td>CWE-94<\/td>\n<td>1<\/td>\n<td>Top 25<\/td>\n<\/tr>\n<tr>\n<td>CWE-20<\/td>\n<td>2<\/td>\n<td>Top 25<\/td>\n<\/tr>\n<tr>\n<td>CWE-502<\/td>\n<td>4<\/td>\n<td>Top 25<\/td>\n<\/tr>\n<tr>\n<td>CWE-862<\/td>\n<td>2<\/td>\n<td>Top 25<\/td>\n<\/tr>\n<tr>\n<td>CWE-119<\/td>\n<td>2<\/td>\n<td>Top 25<\/td>\n<\/tr>\n<tr>\n<td>CWE-269<\/td>\n<td>1<\/td>\n<td>Top 25<\/td>\n<\/tr>\n<tr>\n<td>CWE-77<\/td>\n<td>1<\/td>\n<td>31<\/td>\n<\/tr>\n<tr>\n<td>CWE-295<\/td>\n<td>1<\/td>\n<td>28<\/td>\n<\/tr>\n<tr>\n<td>CWE-416<\/td>\n<td>1<\/td>\n<td>Top 25<\/td>\n<\/tr>\n<tr>\n<td>CWE-134<\/td>\n<td>1<\/td>\n<td>NA<\/td>\n<\/tr>\n<tr>\n<td>CWE-74<\/td>\n<td>1<\/td>\n<td>Top 25<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\" style=\"text-align: center;\"><em><strong>Table 3: CWE Ranking<\/strong><\/em><\/p>\n<h2 dir=\"ltr\">Vendors Analysis<\/h2>\n<p dir=\"ltr\">Notably, Microsoft tops the most affected vendor list exploited by the Chinese hackers. It is followed by Citrix in the second place.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 368px; width: 550px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/affected-products.png\" alt=\"\" \/><\/p>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td>Vendor<\/td>\n<td>Count<\/td>\n<\/tr>\n<tr>\n<td>Microsoft<\/td>\n<td>7<\/td>\n<\/tr>\n<tr>\n<td>Citrix<\/td>\n<td>4<\/td>\n<\/tr>\n<tr>\n<td>Oracle<\/td>\n<td>2<\/td>\n<\/tr>\n<tr>\n<td>Atlassian<\/td>\n<td>2<\/td>\n<\/tr>\n<tr>\n<td>Pulse Secure<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>F5<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Zohocorp<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Telerik<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Adobe<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Mobileiron<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Draytek<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Cisco<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Debian<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Symantec<\/td>\n<td>1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><em><strong>Table 4: Affected Vendors<\/strong><\/em><\/p>\n<h2>Most targeted Vulnerability by Threat Actors<\/h2>\n<p dir=\"ltr\">Over half of the vulnerabilities are\u00a0 RCE &#8211; the most targeted bug. The attacker executes the code remotely by running malware and gains full access to data, and also carries out a full distributed denial of service.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 461px; width: 550px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/cve-with-known-exploits(1).png\" alt=\"\" \/><\/p>\n<p dir=\"ltr\">These products need to be prioritized for immediate patching.\u00a0\u00a0The following CVEs have low severity rating CVE-2020-8193, CVE-2020-8195, CVE-2020-8196, and CVE-2019-1040 with a CVSS Score of below 5.0. Their severity scores make them low priority for security teams which is why these vulnerabilities are routinely weaponized and targeted by malicious groups.<\/p>\n<p dir=\"ltr\">Patches are available for all 25 vulnerabilities. We urge you to patch these immediately and secure your environment.<\/p>\n<h2 dir=\"ltr\">25 Vulnerabilities &amp; Patches<\/h2>\n<p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shr5PdEs4VWcoKAca?backgroundColor=blue&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><em><strong>Table 5: Patches for Exploited Vulnerabilities<\/strong><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The National Security Agency listed 25 vulnerabilities that are being targeted by Chinese state sponsored cyber attackers popularly known as APT41.<\/p>\n","protected":false},"author":1,"featured_media":7387,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,123],"tags":[349,152,91,250,139],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7386"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7386"}],"version-history":[{"count":4,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7386\/revisions"}],"predecessor-version":[{"id":17894,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7386\/revisions\/17894"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7387"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}