Why firewalls, VPNs and hypervisors are a hacker's new favourite target
TTPs and telemetry suggest a real focus on zero days and appliances by Chinese APTs.
Some of world’s biggest cyber-espionage groups have shifted to a new tactics, putting public-facing appliances at risk. Here’s what you need to watch for - and how to boost your defences.
Zero-day flaws in firewalls, virtual private networks (VPN) email servers and other internet-facing network appliances are now the focus of attacks by China’s state-backed hacking groups.
Over 85% of known zero-day vulnerabilities exploited by Chinese state-sponsored groups since 2021 have been in public-facing appliances such as firewalls, enterprise VPN products, hypervisors, load balancers, and email security products, according to research by security company Recorded Future.
It said that by exploiting these zero-days, these groups had found a way to attack a wide range of global targets, and warned that as organizations move to the cloud, China’s hackers will start targeting those environments, too.
Firewalls and gateways look juicy
Chinese APTs have exploited these vulnerabilities since 2021
CVE-2023-22515: Atlassian Confluence Data Center and Server
CVE-2023-3519 Citrix Netscaler
CVE-2023-20867 Vmware vCenter
CVE-2023-2868 Barracuda Email Security Gateway
CVE-2022-27518 Citrix ADC/Gateway
CVE-2022-41328 Fortinet FortiOS
CVE-2022-42475 Fortinet FortiOS
CVE-2022-41040 Microsoft Exchange Server
CVE-2022-41082 Microsoft Exchange Server
CVE-2022-3236 Sophos Firewall
CVE-2022-30190 Microsoft Windows
CVE-2022-26134 Atlassian Confluence Server & Data Center
CVE-2022-1040 Sophos Firewall
CVE-2022-24682 Synacor Zimbra Collaboration Suite
CVE-2021-40539 ManageEngine ADSelfService
CVE-2021-40449 Microsoft Windows
CVE-2021-30869 Apple macOS
CVE-2021-44077 Zoho ManageEngine
CVE-2021-35211 Solarwinds Serv-U
CVE-2021-26855 Microsoft Exchange Server
CVE-2021-26857 Microsoft Exchange Server
CVE-2021-26858 Microsoft Exchange Server
CVE-2021-27065 Microsoft Exchange Server
China’s state-sponsored hacking groups were previously known for rather ‘noisy’ and indiscriminate hacking campaigns, using watering hole attacks and phishing in their attempts to steal intellectual property. But now these groups are much more careful in their targeting, and use anonymised networks to stay hidden. These networks are often made up of compromised internet-exposed internet of things (IoT) and network devices such as small office/home office (SOHO) routers which makes attacks much harder to track, as they are often hidden alongside legitimate internet traffic.
The focus on attacking public-facing appliances such as firewalls and VPNs fits with this lower-profile strategy because many of these devices have limited logging capabilities and often do not support traditional endpoint security, Recorded Future said – making it hard for organisations to know they are being attacked.
“Over 85% of known zero-day vulnerabilities exploited by Chinese state-sponsored groups over this period were in public-facing appliances such as email servers and appliances (such as Zimbra, Microsoft Exchange, and Barracuda ESG), SSL VPN products (such as Pulse Secure and Fortinet FortiOS SSL-VPN), firewalls (Sophos XG), and other internet-facing appliances (such as Citrix ADC, Zoho ManageEngine, and Atlassian Confluence),” the company’s researchers said.
In most cases, these attackers are then using web shells or customized malware families designed for these appliances to maintain persistent access.
“Post-exploitation, there is an increased emphasis on the use of living-off-the-land techniques coupled with valid credentials for discovery, collection, and lateral movement, as well as removing forensic evidence of intrusion activity. Interaction with victim networks is commonly carried out using private anonymization networks, which complicates attribution, detection, and tracking efforts,” the researchers note.
In several cases, Record Future said it has observed the concurrent use of zero-day exploits by multiple distinct Chinese state-sponsored groups, suggesting they are sharing developers or some kind of exploit supply chain. And it warned that it sees “persistent” global Chinese cyber-espionage activity across almost all industry verticals, and tracks acks over 50 distinct, currently active, suspected Chinese state-sponsored threat activity groups. “This far exceeds the scale of activity seen from other prominent state-sponsored cyber threat actors such as Russia or Iran,” it said.
So what can I do?
Recorded Future mentions some potential mitigations which could help protect against attacks:
Use a risk-based approach for patching vulnerabilities: Prioritising high-risk vulnerabilities and those being exploited in the wild. Pay particular attention to remote code execution (RCE) vulnerabilities in external-facing appliances
Have security monitoring and detection capabilities in place for all external-facing services and devices: Monitor for follow-on activity that could come after an initial attack, such as the deployment of web shells, backdoors, or reverse shells, and lateral movement to internal networks.
Practice network segmentation: That could mean isolating internet-facing services in a network demilitarized zone (DMZ).
Enforce multi-factor authentication (MFA) on all VPN connections: Consider implementing anomaly detection for VPN connections.