Jump to content

NSA Top 25 vulnerabilities active


humble3d

Recommended Posts

NSA Top 25 vulnerabilities active

 The U.S. National Security Agency (NSA) is warning that

Chinese state-sponsored hackers exploit 25 different

vulnerabilities in attacks against United States

organizations and interests.

 
In an advisory issued today, the NSA is aware of targeted

attacks by Chinese state-sponsored hackers against

National Security Systems (NSS), the U.S. Defense

Industrial Base (DIB), and the Department of Defense

(DoD) information networks.

 

As part of these attacks, the NSA has seen twenty-five

publicly disclosed vulnerabilities exploited to gain access

to networks, deploy malicious mobile apps, and spread

laterally through a system while attackers steal sensitive

data.

 

The NSA is advising all organizations to immediately patch

vulnerable devices to protect against cyberattacks that lead

to data theft, banking fraud, and ransomware attacks.

 

“We hear loud and clear that it can be hard to prioritize

patching and mitigation efforts,” NSA Cybersecurity

Director Anne Neuberger said. “We hope that by

highlighting the vulnerabilities that China is actively using

to compromise systems, cybersecurity professionals will

gain actionable information to prioritize efforts and secure

their systems."

 

Vulnerabilities used in different phases of attack

The NSA has categorized the vulnerabilities into different

buckets to illustrate how they are being used in

cyberattacks.

 

Exploit secure remote access: To gain access to networks,

Chinese threat actors utilize seven different vulnerabilities,

many of which also provide credentials that can be used to

spread further on the network.

 


    CVE-2019-11510 - A Pulse Secure VPN vulnerabilities

that allow an unauthenticated attacker to gain access to

VPN credentials.


    CVE-2020-5902 - A F5 BIG-IP® 8 proxy / load balancer

remote code execution vulnerability.


    CVE-2019-19781 - A Citrix Application Delivery

Controller (ADC) and Gateway directory traversal

vulnerability, which can lead to remote code execution

without credentials.


    CVE-2020-8193 - Citrix ADC, Citrix Gateway, Citrix

SDWAN WAN-OP vulnerability allows unauthenticated

access to certain URL endpoints and information disclosure

to low-privileged users


    CVE-2020-8195 - Citrix ADC, Citrix Gateway, Citrix

SDWAN WAN-OP vulnerability allows unauthenticated

access to certain URL endpoints and information disclosure

to low-privileged users


    CVE-2020-8196 - Citrix ADC, Citrix Gateway, Citrix

SDWAN WAN-OP vulnerability allows unauthenticated

access to certain URL endpoints and information disclosure

to low-privileged users


    CVE-2019-0708 - The Windows BlueKeep Remote

Desktop Service vulnerability allows unauthenticated users

to perform remote code execution.

 
Exploit Mobile Device Management (MDM): By

compromising MDM servers, threat actors can push out

malicious mobile apps or change device configurations that

send traffic through attacker-controlled proxy servers or

hosts.

 
    CVE-2020-15505 - A remote code execution

vulnerability in the MobileIron 13 mobile device

management (MDM)

 

Exploit Active Directory for Lateral Movement and

Credential Access:


    CVE-2020-1472 - The critical 10/10 Windows

ZeroLogon Netlogon elevation of privilege vulnerability

allows threat actors to quickly gain access to domain

administrator credentials on a domain controller. From

there, they can harvest sensitive data or deploy malware,

such as ransomware.


    CVE-2019-1040 - A Windows NTLM vulnerability allows

attackers to reduce the built-in security for the Windows

operating system.

 

Exploit public-facing servers: Attackers use these

vulnerabilities to bypass authentication in web servers,

email servers, or DNS to remotely execute commands on

the internal network. For compromised web servers,

attackers can utilize them in watering-hole attacks to target

future visitors.

 

    CVE-2020-1350 - The Windows DNS server SigRed

vulnerability allows attackers to spread laterally through a

network.

    CVE-2018-6789 - An Exim mail server vulnerability

allows unauthenticated, remote code execution.


    CVE-2018-4939 - Adobe ColdFusion 14 vulnerability

that could lead to arbitrary code execution

 

Exploit internal servers: These vulnerabilities are used to

spread laterally throughout a network and gain access to

internal servers, where the attackers can steal valuable

data.


    CVE-2020-0688 - A Microsoft Exchange vulnerability

that allows authenticated users to perform remote code

execution.


    CVE-2015-4852 - The WLS Security component in

Oracle WebLogic15 Server allows remote attackers to

execute arbitrary commands via a crafted serialized

Java16 object.


    CVE-2020-2555 - A vulnerability exists in the Oracle®

Coherence product of Oracle Fusion® Middleware. This

easily exploitable


    CVE-2019-3396 - A server-side template injection

vulnerability is present in the Widget Connector in

Atlassian Confluence servers that allows remote attackers

to perform remote code execution and path traversal.


    CVE-2019-11580 - Attackers who can send requests to

an Atlassian® Crowd or Crowd Data Center instance can

exploit this vulnerability to install arbitrary plugins,

permitting remote code execution. This vulnerability was

used in GandCrab ransomware attacks in the past.


    CVE-2020-10189 - Zoho ManageEngine 18 Desktop

Central vulnerability allows remote code execution. This

bug was used in attacks to deploy backdoors.


    CVE-2019-18935 - A vulnerability in Telerik 19 UI for

ASP.NET AJAX can lead to remote code execution. It was

seen used by a hacker group named 'Blue Mockingbird' to

install Monero miners on vulnerable servers but could be

used to spread laterally as well.

 

Exploit user work workstations for local privilege

escalation: When an attacker gains access to a

workstation, their ultimate goal is to gain administrative

credentials or privileges. Using these vulnerabilities, a

hacker can elevate their privileges to SYSTEM or

administrator access.

 

    CVE-2020-0601 - A Windows CryptoAPI Spoofing

vulnerability discovered by the NSA allows attackers to

spoof code-signing certificates to make malicious

executables appear to be signed by a legitimate trusted

company.

 

    CVE-2019-0803 - An elevation of privilege vulnerability

exists in Windows® when the Win32k component fails to

properly handle objects in memory.

 

Exploit network devices: This final bucket of vulnerabilities

allows attackers to monitor and modify network traffic as it

flows over the device.

 

    CVE-2017-6327 - The Symantec 22 Messaging

Gateway can encounter a remote code execution issue.

 

    CVE-2020-3118 - A Cisco 'CDPwn' vulnerability in the

Cisco Discovery Protocol implementation for Cisco IOS 23

XR Software could allow remote code execution.

 

    CVE-2020-8515 - DrayTek Vigor 24 devices enable

remote code execution as root (without authentication) via

shell metacharacters

 
As Chinese state-sponsored hackers have been seen

utilizing a combination of these vulnerabilities, it is strongly

advised that all administrators patch them as soon as

possible.

 
source:

https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/

 

  • Like 1
  • Thanks 3
Link to comment

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...