China-linked threat actors have breached telcos and network service providers

Pierluigi Paganini June 08, 2022

China-linked threat actors have breached telecommunications companies and network service providers to spy on the traffic and steal data.

US NSA, CISA, and the FBI published a joint cybersecurity advisory to warn that China-linked threat actors have breached telecommunications companies and network service providers.

The nation-state actors exploit publicly known vulnerabilities to compromise the target infrastructure. 

The attackers also targeted Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices to use them as additional access points to route command and control (C2) traffic and midpoints to carry out attacks on other entities.

Below is top network device CVEs exploited by PRC nation-state actors since 2020:

Vendor                                       CVE                                  Vulnerability Type
CiscoCVE-2018-0171Remote Code Execution
FortinetCVE-2018-13382Authentication Bypass
MikroTikCVE-2018-14847Authentication Bypass
PulseCVE-2019-11510Authentication Bypass
QNAPCVE-2019-7192Privilege Elevation
CVE-2019-7193Remote Inject
CVE-2019-7194XML Routing Detour Attack
CVE-2019-7195XML Routing Detour Attack
ZyxelCVE-2020-29583Authentication Bypass

Chinese hackers employed open-source tools for reconnaissance and vulnerability scanning, according to the government experts, they have utilized open-source router specific software frameworks, RouterSploit and RouterScan [T1595.002], to identify vulnerable devices to target.

The RouterSploit Framework allows operators to scan for vulnerable embedded devices, while RouterScan allows for the scanning of IP addresses for vulnerabilities. Both tools could be used to target SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.

“Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database [T1078] and utilized SQL commands to dump the credentials [T1555], which contained both cleartext and hashed passwords for user and administrative accounts.” reads the advisory published by the US agencies. “Having gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [T1119].”

The agencies also provide a list of recommendations to mitigate and detect these attacks:

  • Keep systems and products updated and patched as soon as possible after patches are released [D3-SU] . Consider leveraging a centralized patch management system to automate and expedite the process.
  • Immediately remove or isolate suspected compromised devices from the network [D3-ITF] [D3-OTF].
  • Segment networks to limit or block lateral movement [D3-NI]. 
  • Disable unused or unnecessary network services, ports, protocols, and devices [D3-ACH] [D3-ITF] [D3-OTF]. 
  • Enforce multifactor authentication (MFA) for all users, without exception [D3-MFA]. 
  • Enforce MFA on all VPN connections [D3-MFA]. If MFA is unavailable, enforce password complexity requirements [D3-SPP]. 
  • Implement strict password requirements, enforcing password complexity, changing passwords at a defined frequency, and performing regular account reviews to ensure compliance [D3-SPP].
  • Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures. 
  • Disable external management capabilities and set up an out-of-band management network [D3-NI].
  • Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network [D3-NI].
  • Enable robust logging of Internet-facing services and monitor the logs for signs of compromise [D3-NTA] [D3-PM].
  • Ensure that you have dedicated management systems [D3-PH] and accounts for system administrators. Protect these accounts with strict network policies [D3-UAP].
  • Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions [D3-PM]. 
  • Upon responding to a confirmed incident within any portion of a network, response teams should scrutinize network infrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, China-linked threat actors)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment