The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA, FBI, and a broad coalition of international partners, has released a comprehensive cybersecurity advisory detailing a widespread espionage campaign by People’s Republic of China (PRC) state-sponsored actors targeting critical networks worldwide.
The 37-page report, “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” outlines the tactics, techniques, and procedures (TTPs) used by these advanced persistent threat (APT) groups to infiltrate and maintain long-term access to telecommunications, government, transportation, and military infrastructure.
Key Takeaways
1. Guide uses MITRE ATT&CK/D3FEND to counter Chinese APTs exploiting CVEs.
2. Enforce management isolation, disable risky features, and require strong authentication.
3. Prioritize patching, enable detailed logging, and coordinate threat hunting.
According to the advisory, these cyber actors tracked by industry groups under names like “Salt Typhoon” and “GhostEmperor” have been operating since at least 2021.
The operation aims to steal data that allows Chinese intelligence services to track the communications and movements of their targets around the globe.
The advisory explicitly links the activity to several Chinese technology companies, including Sichuan Juxinhe Network Technology Co. Ltd., which allegedly provides services to China’s military and intelligence arms.
A key finding of the investigation is that the actors are not relying on zero-day exploits. Instead, they are having “considerable success” by exploiting publicly known and often unpatched common vulnerabilities and exposures (CVEs).
The report urges network defenders to prioritize patching several specific vulnerabilities, including those affecting Cisco, Palo Alto Networks, and Ivanti devices.
| CVE | Vendor/Product | Details |
|---|---|---|
| CVE-2024-21887 | Ivanti Connect Secure and Ivanti Policy | Command injection vulnerability, often chained with CVE-2023-46805 for authentication bypass. |
| CVE-2024-3400 | Palo Alto Networks PAN-OS GlobalProtect | Allows for unauthenticated remote code execution (RCE) via arbitrary file creation that leads to OS command injection on firewalls with specific GlobalProtect configurations. |
| CVE-2023-20273 | Cisco IOS XE | A post-authentication command injection and privilege escalation flaw in the web management UI, frequently chained with CVE-2023-20198 to achieve root-level code execution. |
| CVE-2023-20198 | Cisco IOS XE | An authentication bypass vulnerability in the web UI that enables the creation of unauthorized administrative accounts. |
| CVE-2018-0171 | Cisco IOS and IOS XE | A remote code execution vulnerability related to the Smart Install feature . |
The threat actors’ methodology involves a “living off the land” approach. After gaining initial access by exploiting a vulnerable, internet-facing router or firewall, they use the device’s own native tools and capabilities to burrow deeper into the network.
Techniques include modifying access control lists, capturing network traffic to steal credentials, and using on-box Linux containers like Cisco’s Guest Shell to hide their tools and activities from standard monitoring.
“These actors often modify routers to maintain persistent, long-term access to networks,” the advisory states. They create covert tunnels, re-route traffic to their own infrastructure, and meticulously clear logs to cover their tracks, making detection extremely difficult.
The joint advisory represents a massive international effort, with contributing agencies from Australia, Canada, the United Kingdom, New Zealand, Germany, Japan, Italy, and Poland, among others. It provides detailed threat-hunting guidance, urging organizations to:
- Monitor for unauthorized configuration changes, unexpected network tunnels (GRE, IPsec), and suspicious use of packet capture tools.
- Audit virtualized containers on network devices for unauthorized activity.
- Verify firmware and software integrity against vendor-provided hashes.
- Implement robust logging and forward logs to a secure, centralized server.
Mitigation strategies focus on hardening network infrastructure. Recommendations include disabling unused ports and services, implementing strict management-plane isolation, enforcing strong, unique credentials, and disabling legacy protocols like Telnet and SNMPv1/v2 in favor of secure, modern alternatives.
The advisory serves as a critical resource for network defenders, providing not only strategic guidance but also specific indicators of compromise, such as IP addresses used by the actors and YARA rules to detect their custom malware.
CISA and its partners strongly urge organizations, especially in the telecommunications sector, to use the guide to proactively hunt for malicious activity and fortify their defenses against this persistent global threat.
Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!
Source link
