Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

Through the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.

According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years.[1] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[2]

According to the indictment,

To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents’ names and extensions (e.g., from “.rar” to “.jpg”) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ “recycle bins.” The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders.

The continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.

MITRE PRE-ATT&CK® Framework for Analysis

In the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&CK® Framework TTPs.

Target Selection and Technical Information Gathering

Target Selection [TA0014] is a critical part of cyber operations. While cyber threat actors’ motivations and intents are often unknown, they often make their selections based on the target network’s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[3][4][5]

  • Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.
  • The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.

These information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.

While using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.

CISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (Technical Information Gathering [TA0015]).

Table 1: Technical information gathering techniques observed by CISA





Determine Approach/Attack Vector

The threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits.


Acquire Open Source Intelligence (OSINT) Data Sets and Information

CISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities.


Conduct Active Scanning

CISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices.

Technical Weakness Identification

CISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[6]

Additionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.

Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months



CVE-2020-5902: F5 Big-IP Vulnerability

CISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5’s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[7]

CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances

CISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[8]

CVE-2019-11510: Pulse Secure VPN Servers

CISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances—to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[9]

CVE-2020-0688: Microsoft Exchange Server

CISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks.


Additionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (Technical Weakness Identification [TA0018]). 

Table 3: Technical weakness identification techniques observed by CISA





Analyze Architecture and Configuration Posture

CISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510.


Research Relevant Vulnerabilities

CISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs.

Build Capabilities 

CISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (Build Capabilities [TA0024]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.

Table 4: Build capabilities observed by CISA





C2 Protocol Development

CISA observed beaconing from a Federal Government entity to the threat actors’ C2 server.


Buy Domain Name

CISA has observed the use of domains purchased by the threat actors.


Acquire and / or use of 3rd Party Infrastructure

CISA has observed the threat actors using virtual private servers to conduct cyber operations.


Obtain/Re-use Payloads

CISA has observed the threat actors use and reuse existing capabilities.


Build or Acquire Exploit

CISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks.

MITRE ATT&CK Framework for Analysis

CISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[10][11] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.

During incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.

Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors



Cobalt Strike

CISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers.

China Chopper Web Shell

CISA has observed the actors successfully deploying China Chopper against organizations’ networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords.


CISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[12]


The following sections list the ATT&CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.

Initial Access 

In the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.

CISA has observed the threat actors using the Initial Access [TA0001] techniques identified in table 6.

Table 6: Initial access techniques observed by CISA





User Execution: Malicious Link

CISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent


Phishing: Spearphishing Link

CISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links.


Exploit Public-Facing Application

CISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers.


Cyber threat actors can continue to successfully launch these types of low-complexity attacks—as long as misconfigurations in operational environments and immature patch management programs remain in place—by taking advantage of common vulnerabilities and using readily available exploits and information.


CISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.

CISA has observed Chinese MSS-affiliated actors using the Execution [TA0002] technique identified in table 7.

Table 7: Execution technique observed by CISA





Software Deployment Tools

CISA observed activity from a Federal Government IP address beaconing out to the threat actors’ C2 server, which is usually an indication of compromise.

Credential Access 

Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.

CISA has observed Chinese MSS-affiliated actors using the Credential Access [TA0006] techniques highlighted in table 8.

Table 8: Credential access techniques observed by CISA





Operating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory

CISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool.


Brute Force: Credential Stuffing

CISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server.


As with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable—there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (Discovery [TA0007]).

Table 9: Discovery technique observed by CISA





Network Service Scanning

CISA has observed suspicious network scanning activity for various ports at Federal Government entities.


Within weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the Collection [TA0009] technique listed in table 10.

Table 10: Collection technique observed by CISA





Email Collection

CISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments.

Command and Control 

CISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, “The Onion Router” (Tor) is often used by cyber threat actors for anonymity and C2. Actor’s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.

CISA has observed Chinese MSS-affiliated actors using the Command and Control [TA0011] techniques listed in table 11.

Table 11: Command and control techniques observed by CISA





Proxy: External Proxy

CISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses.


Proxy: Multi-hop Proxy

CISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems.


Encrypted Channel: Asymmetric Cryptography

CISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems.


Iran-Based Threat Actor Exploits VPN Vulnerabilities

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.

This Advisory provides the threat actor’s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.

Click here for a PDF version of this report.

CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.

After gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor’s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor’s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.

CISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.

Table 1 illustrates some of the common tools this threat actor has used.

Table 1: Common exploit tools



ChunkyTuna web shell

ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data.

Tiny web shell

Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic.

China Chopper web shell

China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords.
FRPC FRPC is a modified version of the open-source FRP tool. It allows a system—inside a router or firewall providing Network Address Translation—to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence.
Chisel Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network.
ngrok ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS.
Nmap Nmap is used for vulnerability scanning and network discovery.
Angry IP Scanner Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc.
Drupwn Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices.

Notable means of detecting this threat actor:

  • CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.
  • The threat actor uses FRPC over port 7557.
  • Malware Analysis Report MAR-10297887-1.v1 details some of the tools this threat actor used against some victims.

The following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.




MITRE ATT&CK Framework

Initial Access

As indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.

Table 2: Initial access techniques





Exploit Public-Facing Application The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902.


After gaining initial access, the threat actor began executing scripts, as shown in table 3.

Table 3: Execution techniques





Command and Scripting Interpreter: PowerShell A PowerShell script (keethief and kee.ps1) was used to access KeePass data.


Command and Scripting Interpreter: Windows Command Shell cmd.exe was launched via sticky keys that was likely used as a password changing mechanism.


CISA observed the threat actor using the techniques identified in table 4 to establish persistence.

Table 4: Persistence techniques





Scheduled Task/Job: Cron The threat actor loaded a series of scripts to cron and ran them for various purposes (mainly to access NetScaler web forms).


Scheduled Task/Job: Scheduled Task The threat actor installed and used FRPC (frpc.exe) on both NetScaler and internal devices. The task was named lpupdate and the binary was named svchost, which was the reverse proxy. The threat actor executed this command daily.


Server Software Component: Web Shell The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna.


Event Triggered Execution: Accessibility Features The threat actor used sticky keys (sethc.exe) to launch cmd.exe.

Privilege Escalation

CISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.

Defense Evasion

CISA observed the threat actor using the techniques identified in table 5 to evade detection.

Table 5: Defensive evasion techniques





Obfuscated Files or Information: Software Packing The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection.


Obfuscated Files or Information: Compile After Delivery The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection.


Masquerading: Masquerade Task or Service The threat actor used FRPC (frpc.exe) daily as reverse proxy, tunneling RDP over TLS. The FRPC (frpc.exe) task name was lpupdate and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok.


Masquerading: Match Legitimate Name or Location The FRPC (frpc.exe) binary name was svchost, and the configuration file was dllhost.dll, attempting to masquerade as a legitimate Dynamic Link Library.


Indicator Removal on Host: File Deletion To minimize their footprint, the threat actor ran ./httpd-nscache_clean every 30 minutes, which cleaned up files on the NetScaler device.

Credential Access

CISA observed the threat actor using the techniques identified in table 6 to further their credential access.

Table 6: Credential access techniques





OS Credential Dumping: LSASS Memory The threat actor used procdump to dump process memory from the Local Security Authority Subsystem Service (LSASS).


OS Credential Dumping: Windows NT Directory Services (NTDS) The threat actor used Volume Shadow Copy to access credential information from the NTDS file.


Unsecured Credentials: Credentials in Files The threat actor accessed files containing valid credentials.


Credentials from Password Stores The threat actor accessed a KeePass database multiple times and used kee.ps1 PowerShell script.


Steal or Forge Kerberos Tickets The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account.


CISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.

Table 7: Discovery techniques





Remote System Discovery The threat actor used Angry IP Scanner to detect remote systems.


File and Directory Discovery The threat actor used WizTree to obtain network files and directory listings.


Account Discovery The threat actor accessed ntuser.dat and UserClass.dat and used Softerra LDAP Browser to browse documentation for service accounts.


Browser Bookmark Discovery The threat actor used Google Chrome bookmarks to find internal resources and assets.

Lateral Movement

CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.

Table 8: Lateral movement techniques





Remote Services The threat actor used RDP with valid account credentials for lateral movement in the environment.


Remote Services: Remote Desktop Protocol The threat actor used RDP to log in and then conduct lateral movement.


Remote Services: SMB/Windows Admin Shares The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares.


Remote Services: SSH The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive. 


Remote Services: Virtual Network Computing (VNC) The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool.


Remote Service Session Hijacking: RDP Hijacking The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment.


CISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.

Table 9: Collection techniques





Data from Local System The threat actor searched local system sources to accessed sensitive documents.


Data from Network Shared Drive The threat actor searched network shares to access sensitive documents.


Data from Information Repositories The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information.


Data from Cloud Storage Object The threat actor obtained files from the victim cloud storage instances.


Archive Collected Data: Archive via Utility The threat actor used 7-Zip to archive data.

Command and Control

CISA observed the threat actor using the techniques identified in table 10 for command and control (C2).

Table 10: Command and control techniques





Application Layer Protocol: Web Protocols The threat actor used various web mechanisms and protocols, including the web shells listed in table 1.


Ingress Tool Transfer The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes.


Protocol Tunneling The threat actor used FRPC.exe to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling.


CISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.


CISA and FBI recommend implementing the following recommendations.

  • If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert AA20-031A.
  • This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.
  • If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest.
    • If compromised, rebuild/reimage compromised NetScaler devices.
  • Routinely audit configuration and patch management programs.
  • Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
  • Implement multi-factor authentication, especially for privileged accounts.
  • Use separate administrative accounts on separate administration workstations.
  • Implement the principle of least privilege on data access.
  • Secure RDP and other remote access solutions using multifactor authentication and “jump boxes” for access.
  • Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.
  • Keep software up to date.


AA20-133A: Top 10 Routinely Exploited Vulnerabilities

Original release date: May 12, 2020


The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.

This alert provides details on vulnerabilities routinely exploited by foreign cyber actors—primarily Common Vulnerabilities and Exposures (CVEs)[1]—to help organizations reduce the risk of these foreign threats.

Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.

The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.

For indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see the each entry within the Mitigations section below. Click here for a PDF version of this report.

Technical Details

Top 10 Most Exploited Vulnerabilities 2016–2019

U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.

  • According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.
  • Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft’s OLE technology.
  • As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations.[2] This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective.
  • Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.
  • A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.[3]  Four of the industry study’s top 10 most exploited flaws also appear on this Alert’s list, highlighting how U.S. Government and private-sector data sources may complement each other to enhance security.

Vulnerabilities Exploited in 2020

In addition to the top 10 vulnerabilities from 2016 to 2019 listed above, the U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:

  • Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities.
    • An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.
    • An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.
  • March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.
  • Cybersecurity weaknesses—such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans—have continued to make organizations susceptible to ransomware attacks in 2020.


This Alert provides mitigations for each of the top vulnerabilities identified above. In addition to the mitigations listed below, CISA, FBI, and the broader U.S. Government recommend that organizations transition away from any end-of-life software.

Mitigations for the Top 10 Most Exploited Vulnerabilities 2016–2019

Note: The lists of associated malware corresponding to each CVE below is not meant to be exhaustive but instead is intended to identify a malware family commonly associated with exploiting the CVE. 


  • Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
  • Associated Malware: Loki, FormBook, Pony/FAREIT
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail:
  • IOCs:


  • Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
  • Associated Malware: FINSPY, LATENTBOT, Dridex
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail:
  • IOCs:,,


  • Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before
  • Associated Malware: JexBoss
  • Mitigation: Upgrade to Struts 2.3.32 or Struts
  • More Detail:


  • Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
  • Associated Malware: Dridex
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail:
  • IOCs:,,,,,


  • Vulnerable Products: Microsoft SharePoint
  • Associated Malware: China Chopper
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail:


  • Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
  • Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail:


  • Vulnerable Products: Adobe Flash Player before
  • Associated Malware: DOGCALL
  • Mitigation: Update Adobe Flash Player installation to the latest version
  • More Detail:
  • IOCs:


  • Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
  • Associated Malware: FINSPY, FinFisher, WingBird
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail:  
  • IOCs:


  • Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
  • Associated Malware: Toshliph, UWarrior
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail:
  • IOCs:


  • Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
  • Associated Malware: Kitty
  • Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.
  • More Detail:

Mitigations for Vulnerabilities Exploited in 2020


  • Vulnerable Products: Pulse Connect Secure 9.0R1 – 9.0R3.3, 8.3R1 – 8.3R7, 8.2R1 – 8.2R12, 8.1R1 – 8.1R15 and Pulse Policy Secure 9.0R1 – 9.0R3.1, 5.4R1 – 5.4R7, 5.3R1 – 5.3R12, 5.2R1 – 5.2R12, 5.1R1 – 5.1R15
  • Mitigation: Update affected Pulse Secure devices with the latest security patches.
  • More Detail:


  • Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP
  • Mitigation: Update affected Citrix devices with the latest security patches
  • More Detail:

Oversights in Microsoft O365 Security Configurations

  • Vulnerable Products: Microsoft O365
  • Mitigation: Follow Microsoft O365 security recommendations
  • More Detail: 

Organizational Cybersecurity Weaknesses

  • Vulnerable Products: Systems, networks, and data
  • Mitigation: Follow cybersecurity best practices
  • More Detail:

CISA’s Free Cybersecurity Services

Adversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. CISA offers several free scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.

Cyber Hygiene: Vulnerability Scanning helps secure your internet-facing systems from weak configuration and known vulnerabilities. It also encourages organizations to adopt modern security best practices. CISA performs regular network and vulnerability scans and delivers a weekly report for your action. Once initiated, this service is mostly automated and requires little direct interaction. After CISA receives the required paperwork for Cyber Hygiene, our scans will start within 72 hours and you’ll begin receiving reports within two weeks.

Web Application Service checks your publicly accessible web sites for potential bugs and weak configurations. It provides a “snapshot” of your publicly accessible web applications and also checks functionality and performance in your application.
If your organization would like these services or want more information about other useful services, please email [email protected]

CISA Online Resources

The Patch Factory: CISA infographic depicting the global infrastructure for managing vulnerabilities.

CISA Alert: (AA20-120A) Microsoft Office 365 Security Recommendations: recommendations for organizations to review and ensure their O365 environment is configured to protect, detect, and respond against would-be attackers.

CISA’s Cyber Essentials: a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.

Contact Information

If you have any further questions related to this Joint Alert, please contact the FBI at either your local Cyber Task Force or FBI CyWatch.

  • You can find your local field offices at
  • CyWatch can be contacted through e-mail at [email protected] or by phone at 1-855-292-3937

To request incident response resources or technical assistance related to these threats, contact CISA at [email protected]



  • [1] Cybersecurity Vulnerabilities and Exposures (CVE) list
  • [2] CISA Alert (TA15-119A). Top 30 Targeted High Risk Vulnerabilities. (2016, September 29)
  • [3] Recorded Future. 2019 Vulnerability Report: Cybercriminals Continue to Target Microsoft Products. (2020, February 4)


  • May 12, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Alerts

AA20-126A: APT Groups Target Healthcare and Essential Services

Original release date: May 5, 2020


This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).

CISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations. This joint alert highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.

The joint CISA-NCSC Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors from April 8, 2020, previously detailed the exploitation of the COVID-19 pandemic by cybercriminals and APT groups. This joint CISA-NCSC Alert provides an update to ongoing malicious cyber activity relating to COVID-19. For a graphical summary of CISA’s joint COVID-19 Alerts with NCSC, see the following guide.

COVID-19-related targeting

APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.

APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.

The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.

Targeting of pharmaceutical and research organizations

CISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.

These organizations’ global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.

Recently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[1],[2] and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[3],[4]

COVID-19-related password spraying activity

CISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries—including the United Kingdom and the United States—as well as international healthcare organizations.

Previously, APT groups have used password spraying to target a range of organizations and companies across sectors—including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.

Technical Details

Password spraying is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.

Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then “spray” the identified accounts with lists of commonly used passwords.

Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.

In previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization’s Global Address List (GAL). The actors then used the GAL to password spray further accounts.

NCSC has previously provided examples of frequently found passwords, which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.

CISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.


CISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.

  • CISA alert on password spraying attacks
  • CISA guidance on choosing and protecting passwords
  • CISA guidance on supplementing passwords
  • NCSC guidance on password spraying attacks
  • NCSC guidance on password administration for system owners
  • NCSC guidance on password deny lists

CISA’s Cyber Essentials for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action. Additionally, the UK government’s Cyber Aware campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.

A number of other mitigations will be of use in defending against the campaigns detailed in this report:

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. See CISA’s guidance on enterprise VPN security and NCSC guidance on virtual private networks for more information.
  • Use multi-factor authentication to reduce the impact of password compromises. See the U.S. National Cybersecurity Awareness Month’s how-to guide for multi-factor authentication. Also see NCSC guidance on multi-factor authentication services and setting up two factor authentication.
  • Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets. See the NCSC blog on protecting management interfaces.
  • Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions. See the NCSC introduction to logging security purposes.
  • Review and refresh your incident management processes. See the NCSC guidance on incident management.
  • Use modern systems and software. These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position. See the NCSC guidance on obsolete platform security.
  • Further information: Invest in preventing malware-based attacks across various scenarios. See CISA’s guidance on ransomware and protecting against malicious code. Also see the NCSC guidance on mitigating malware and ransomware attacks.

Contact Information

CISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by emailing [email protected]

The NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website:


This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.


  • [1] CISA Alert: Detecting Citrix CVE-2019-19781
  • [2] NCSC Alert: Actors exploiting Citrix products vulnerability
  • [3] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability
  • [4] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide


  • May 5, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Alerts