Chinese hackers have breached major telecommunication companies and network service providers to steal credentials and harvest data.
According to a new joint advisory issued by the NSA, CISA, and the FBI, the Chinese state-sponsored cybercriminals have exploited publicly known vulnerabilities to breach a wide range of network devices including small office/home office and even large enterprise networks. These compromised devices provided an initial foothold into a telecommunications organizations or network service providers and served as a part of the attackers’ own attack infrastructure, which helped them to breach more networks.
After gaining the initial access to the compromised network, the threat actors identified critical users and infrastructure “including systems critical to maintaining the security of authentication, authorization, and accounting," the advisory says.
Using stolen credentials, the hackers gained access to an underlying SQL database and dumped the router configurations and user and admin credentials from RADIUS servers. From there, they returned to the network and authenticateв and executeв router commands to route, capture, and exfiltrate traffic without victim’s consent.
According to the advisory, since 2020, the Chinese state-sponsored cybercriminals have been using the following vulnerabilities:
CVE-2018-0171 – remote code execution in Cisco IOS XE;
CVE-2019-15271 –remote code execution in Cisco Small Business RV Series Routers;
CVE-2019-1652 – remote code execution in Cisco Small Business RV320 and RV325 Routers;
CVE-2019-19781 – remote code execution in Citrix ADC and Gateway;
CVE-2020-8515 – remote code execution in Draytek Vigor 2960, 3900 and 300B;
CVE-2019-16920 – remote code execution in D-Link products;
CVE-2018-13382 – authentication bypass in FortiOS SSL VPN;
CVE-2018-14847 – authentication bypass in MikroTik RouterOS;
CVE-2021-22893 – remote code execution in Pulse Connect Secure;
CVE-2019-7192 – privilege elevation in QNAP Systems QTS and Photo Station;
CVE-2019-7193 – remote injection in QNAP Systems QTS and Photo Station;
CVE-2019-7194 – XML routing detour attack in QNAP Systems QTS and Photo Station;
CVE-2019-7195 – XML routing detour attack in QNAP Systems QTS and Photo Station;
CVE-2020-29583 – authentication bypass in Zyxel products.