US cyber security agencies provide a list of the top vulnerabilities currently being attacked by Chinese cyber gangs.
In a joint report, the US authorities National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have compiled a list of the security vulnerabilities most frequently attacked by Chinese state cybergangs since 2020. State-directed cyber actors continue to target known vulnerabilities in US and allied networks, as well as software and hardware manufacturers, to steal intellectual property and gain access to sensitive networks. The NSA, CISA and FBI are urging governments and private sector organizations to take available and known countermeasures.
Biggest threat from Chinese cyber actors
Authorities continue to rank China’s state-sponsored cyber activities as one of the greatest and most dynamic threats to US government and civilian networks. Chinese cyber actors are targeting government and critical infrastructure networks with an increasing number of new and adapted techniques, some of which pose significant risk to IT sector organizations including telecom providers, military-industrial complex organizations and other critical infrastructure organizations represent.
The state-controlled cybergangs exploit known vulnerabilities and use publicly available tools, among other things, to attack interesting networks. They attack the security gaps and nest themselves in compromised networks.
In descending order, Chinese cybercriminals target the following vulnerabilities the most:
| Offerer | CVE | vulnerability type |
| Apache Log4j | CVE-2021-44228 | Remote code execution |
| Pulse Connect Secure | CVE-2019-11510 | Arbitrary File Read |
| GitLab CE/EE | CVE-2021-22205 | Remote code execution |
| Atlasian | CVE-2022-26134 | Remote code execution |
| MicrosoftExchange | CVE-2021-26855 | Remote code execution |
| F5 Big IP | CVE-2020-5902 | Remote code execution |
| VMware vCenter Server | CVE-2021-22005 | Arbitrary file upload |
| Citrix ADC | CVE-2019-19781 | Path Traversal |
| Cisco Hyperflex | CVE-2021-1497 | Command Line Execution |
| Buffalo ESC | CVE-2021-20090 | Relative Path Traversal |
| Atlassian Confluence Server and Data Center | CVE-2021-26084 | Remote code execution |
| Hikvision web server | CVE-2021-36260 | command injection |
| Sitecore XP | CVE-2021-42237 | Remote code execution |
| F5 Big IP | CVE-2022-1388 | Remote code execution |
| Apache | CVE-2022-24112 | Authentication bypass by spoofing |
| ZOHO | CVE-2021-40539 | Remote code execution |
| Microsoft | CVE-2021-26857 | Remote code execution |
| Microsoft | CVE-2021-26858 | Remote code execution |
| Microsoft | CVE-2021-27065 | Remote code execution |
| Apache HTTP Server | CVE-2021-41773 | Path Traversal |
The attackers rely on virtual private networks (VPNs) to conceal their activities. They primarily direct their attacks against web applications in order to gain initial access. Many of the CVEs listed in the table allow malicious actors to stealthily gain unauthorized access to sensitive networks. They then usually try to nest and spread further in the network and other connected networks.
At the end of the article, the US authorities have listed the individual vulnerabilities and possible countermeasures. IT managers should check the list once and see whether there are still services lurking in their own network that need to be secured. Most recently, in April of this year, cyber security authorities created an overview of vulnerabilities that were generally most frequently misused for attacks in the past year. Administrators should also check this list once.
