Chinese state-sponsored cyber actors are targeting bugs in F5, Citrix, Pulse and Microsoft Exchange Servers, US agencies warn

Organisations need to patch their systems immediately, they advise

The US federal agencies have issued a joint advisory to warn government and private sector entities about a fresh wave of cyber attacks by Chinese state-sponsored hackers targeting vulnerabilities in Microsoft Exchange Servers, Pulse and Citrix Secure VPNs and F5 devices.

In the new advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) said that they had observed a large number of cyber incidents in recent months in which hackers affiliated to China's Ministry of State Security (MSS) conducted attacks by exploiting vulnerabilities that have already been patched by vendors.

In some case, patches were released about a year ago, but many organisations have not yet updated their systems, leaving them vulnerable to attacks from cyber actors.

The most notable bugs that the US agencies have seen being targeted by Chinese hackers are:

• CVE-2020-0688: This bug exists in Exchange Control Panel (ECP) component of Microsoft Exchange Server and could enable an attacker to perform remote code execution on the server with SYSTEM privileges. Microsoft patched the bug in February, but less than 15 per cent of vulnerable systems had either been patched or remediated after one month, according to security researchers from Kenna Security. The researchers also found that the bulk of installs were 2016 versions, with some 74 per cent found to be 'vulnerable' and 26 per cent 'potentially vulnerable'.
• CVE-2019-19781: This flaw impacts Citrix Gateway (formerly NetScaler Gateway) and Citrix Application Delivery Controller (formerly NetScaler ADC) servers and could allow remote unauthenticated attackers to run commands to gain access to a network. In January, researchers at Positive Technologies warned that the flaw could put more than 80,000 organisations at risk.
• CVE-2020-5902: This vulnerability in F5 Network's Big-IP Traffic Management User Interface (TMUI) allows remote cyber threat actors to run arbitrary system commands, disable services, create or delete files, and execute Java code, without authentication. To exploit the vulnerability, an attacker would need to send a specially crafted HTTP request to the server hosting the TMUI utility for BIG-IP configuration. As of July, nearly 8,000 users of BIG-IP family of networking devices had not applied the patch to secure their systems against the critical flaw.
• CVE-2019-11510: This bug in Pulse Secure VPN appliances lets a remote, unauthenticated attacker to send a specially crafted URIs to establish a connection with vulnerable servers and read files containing user credentials. The attacker can use the information to take full control of an organisation's systems. In February, security researchers revealed that nearly 2500 Pulse Secure VPN servers worldwide were still vulnerable to CVE-2019-11510, more than six months after the security flaw was first publicised.

"If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network," CISA said in its the advisory.

The agency recommends organisations to take notice of the techniques and procedures used by hackers to target the above-mentioned vulnerabilities and to patch their systems as soon as possible.