US claims China-backed hackers target vulnerable telco gear

The US government has warned that Chinese state-sponsored hackers are finding their way into major telco and IT networks.

A joint advisory (PDF) from the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the FBI explains how attackers are using a variety of techniques to exploit publicly-known vulnerabilities in equipment, allowing them to establish a broad network of compromised infrastructure. This has left a wide range of public and private sector organisations vulnerable to attack.

“Since 2020, People’s Republic of China (PRC) state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs),” the advisory reads.

CVEs come in different flavours. Some enable attackers to bypass authentication or set their own access privileges, while others allow for remote code execution (RCE), giving attackers the ability to run malicious code on compromised equipment.

“This technique has allowed the actors to gain access into victim accounts using publicly available exploit code against virtual private network (VPN) services or public facing applications – without using their own distinctive or identifying malware – so long as the actors acted before victim organisations updated their systems,” said the agencies.

Open-source tools like RouterSploit and RouterScan can identify makes, models and known vulnerabilities of various routers from the likes of Cisco, Citrix, Juniper, Netgear and QNAP, giving hackers an opportunity to gain a foothold in a victim’s network. The agencies note that hackers often to combine these with their own proprietary tools in order to obscure their activity.

Once inside, they go about gaining access to the requisite high-value account credentials that enable them to execute router commands that surreptitiously capture and send data traffic to the hacker’s own network.

Intrusions are usually carried out from compromised servers. These so-called hop points have Chinese IP addresses linked to various Chinese ISPs.

The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers,” the agencies explain. “They use these servers to register and access operational email accounts, host C2 (command and control) domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.”

It’s interesting how there is no mention of Huawei in this advisory. It’s almost as if Beijing-backed hackers, determined to compromise their enemies’ networks, don’t require the use of a mysterious ‘back door’ from a Chinese network equipment provider. Vendors and their sometimes questionable code do all the hard work for them.

One could go further and argue that maybe, just maybe, the PRC urging Huawei to give cyber attackers a route into western enterprise and telecoms networks would have been a bit obvious. It’s almost as if the whole Huawei security panic was orchestrated to fan the flames of Washington’s trade war with Beijing. It seems the vendors we should have had our (five) eyes on all along are much closer to home.

Anyway, the US agencies recommend several mitigation methods to help enterprises and telcos counter the threat. They are all fairly common-sense techniques, such as using multi-factor authentication, implementing strict password requirements, and keeping systems updated and patched.

They also recommend disabling unused or unnecessary network services, ports, protocols, and devices, isolating devices suspected of being compromised, and segmenting networks to prevent lateral movement. In addition, admins should also maintain logs of Internet-facing services to monitor for suspicious activity, and similarly keep records of infrastructure accesses, configuration changes, and critical infrastructure services that perform authentication, authorisation and accounting functions.

Oh, and if someone claiming to be a prince emails to ask if you would like a share of their fortune, it’s probably best to give it a miss.

Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.