Long-standing vulnerabilities in popular consumer and home office Wi-Fi routers made by the likes of Cisco, D-Link, Netgear and ZyXel are being routinely exploited by threat actors backed by the Chinese government as a means to compromise the wider telco networks behind them, according to an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) and its partners at the FBI and NSA.
In the advisory, the authorities explain how China-sponsored actors readily exploit routers and other devices such as network attached storage (NAS) devices to serve as access points that they can use to route command and control (C2/C&C) traffic and conduct intrusions on other identities.
“Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of internet-facing services and endpoint devices,” the agency said in its advisory.
CISA said these actors typically conduct their intrusions through servers or “hop points” from China-based IP addresses that resolve to various Chinese ISPs. Most usually they obtain these by leasing them from hosting providers. These are used to register and access operational email accounts, host C2 domains, and interact with their target networks. They also serve as a useful obfuscator when doing so.
The agencies warned the groups behind these intrusions are consistently evolving and adapting their tactics, techniques and procedures (TTPs), and have even been observed monitoring the activity of network defenders and changing things up on the fly to outwit them. They also mix their customised tools with publicly available ones – notably ones native to their target environments – to blend in, and are quick to modify their infrastructure and toolsets if information on their campaigns becomes public.
Many of the vulnerabilities used are well-known ones, some of them dating back four years or more. They include CVE-2018-0171, CVE-2019-1652, CVE-2019-15271, all…