The US Joint Cybersecurity Advisory (CSA) is a consortium of many organisations like National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI), etc. The organisation brings out advisories and alerts to sensitise the cyber owners and the general public on Cyber Security. On 06 Oct 2022 the consortium has got out a specific report which provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors (Read the report…….(Click Here)). The list published 20 CVEs relating to software vendors which is still exploitable and is being used by PRCs state-sponsored cyber actors using the known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.
India ready to take on Chinese Cyber Attack
PRC is also known to be targeting India, especially the vulnerable critical infrastructure like Power, Banking, Energy, other Digital Assets, etc. The reported targeted attack is carried out by professions who are enrolled for targeted attacks by the Peoples Liberations Army (PLA) of China. India is also part of the active list of the PLA targets; and especially after India decided to abstain from the UNHRC resolution on rights situation in China’s Xinjiang. This resolution was sponsored by group comprising Canada, Denmark, Finland, Iceland, Norway, Sweden, the UK and the US, and was co-sponsored by other countries such as Turkey. However, the vote went in favour of China, with 19 members of the UNHRC opposing the resolution and 11 members, including India, Malaysia and Ukraine, abstaining (Twelve of the 17 OIC member states with representation in the UNHRC also voted in favour of China). The human rights atrocities on Muslim community in the Xinjiang Uyghur Autonomous Region, has been a point of concern and many countries have flagged the issue at UN, China has never acknowledged the act on the people of Uyghur as a Human Rights violation.
The Chine state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the CVEs mentioned in the CSA Report reports to be allowing the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks.
We at Cyber Secure India, evaluate three CVEs that has been identified as the most used against the Indian Networks and Targets.
CVE-2022-1388, CVE-2022-24112 and CVE-2022-26134
The Targets that are identified by the State Sponsored Team of PRC use an increasing array of new and adaptive techniques; the aim is to create Persistence and adopt a methodology to slowly poison and destroy the infrastructure before stealing the information. These can be combined with Advance Persistent Threat (APT) forms of attack. The APT are nothing but attacks employing a range of techniques designed to steal the information of targets using continuous, clandestine, and sophisticated hacking techniques by gaining access to a system and remain inside for a prolonged period, with potentially destructive consequences. The actors base these attacks on stealthy techniques and are most of the time their original source cannot be traced. The recent TAG 28 attack on power and other Indian infra is also an example of APT attacks.
CVE-2022-1388: This CVE-2022-1388 is a ‘Remote Code Execution’ vulnerability in the F5 Big-IP devices. This is a critical iControl REST authentication bypass vulnerability affecting the versions: 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, all 12.1.x and 11.6.x versions of F5 BIG-IP. CVE-2022-1388 is a flaw that can be exploited by unauthenticated attackers remotely to take over vulnerable BIG-IP devices and use that access to execute system commands, create or delete files, or disable services. The fix has been provided by the OEM even as late as May 2022. Where the systems have been suspected to be compromised, we suggest using the latest Snort and Suricata tools which will identify the attack if the signatures have been updated.
CVE-2022-24112: This CVE-2022-24112 is a Authentication Bypass by Spoofing vulnerability in systems running Apache. In this the attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX’s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. The Apache APISIX between 1.3 and 2.12.1 (excluding 2.12.1) and LTS versions of Apache APISIX between 2.10.0 and 2.10.4 are the ones that is reported to be vulnerable and can be affected.
CVE-2022-26134: This CVE-2022-26134 Remote Code Execution vulnerability in Confluence, Atlassian. Confluence is a web-based corporate wiki developed by Australian software company Atlassian. Atlassian wrote Confluence in the Java programming language and first published it in 2004. Confluence Standalone comes with a built-in Tomcat web server and hsql database, and also supports other databases. CVE-2022-26134 is an unauthenticated OGNL Injection remote code execution vulnerability affecting Confluence Server and Data Center versions after 1.3.0. In order to exploit a vulnerable server, a remote attacker can send a malicious HTTP GET request with an OGNL (Object-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) used for getting and setting the properties of Java objects. An OGNL Injection occurs when there is insufficient validation of user-supplied data, and the EL interpreter attempts to interpret it enabling attackers to inject their own EL code.) payload in the URI. The vulnerable server once exploited it would allow the attacker to execute commands remotely with user privileges running the Confluence application. The vulnerability is fixed in Confluence versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.
Conclusion
These Vulnerability and more can assist the attacker to insert malware into the system, especially persistent ones. In a recent research report, China is said to be using a new multi-function malware against its targets. Dubbed Chaos, the malware is designed to carry out several types of cyberattacks against Windows and Linux systems. As of September 2022, the number of Chaos nodes has climbed to 111, surpassing 93 in August, as reported by Lumen Black Lotus Labs. A noted differentiating characteristic of Chaos over other malware strains is that it can carry out automated vulnerability exploitation for lateral movement or SSH via brute-forcing with stolen SSH keys. Additionally, the reverse shell enables the malware operator to upload, download or modify files from the command and control (C2) infrastructure located in China.
Chaos is written in Go, a language that offers agility, flexibility, difficulty to reverse-engineer, and cross-platform code compilation capabilities (something that many applications lack even today).