China using top consumer routers to hack Western comms networks

An advisory from US cyber authorities shares details of multiple vulnerabilities exploited by Chinese state actors to hack into Western telecoms networks

Long-standing vulnerabilities in popular consumer and home office Wi-Fi routers made by the likes of Cisco, D-Link, Netgear and ZyXel are being routinely exploited by threat actors backed by the Chinese government as a means to compromise the wider telco networks behind them, according to an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) and its partners at the FBI and NSA.

In the advisory, the authorities explain how China-sponsored actors readily exploit routers and other devices such as network attached storage (NAS) devices to serve as access points that they can use to route command and control (C2/C&C) traffic and conduct intrusions on other identities.

“Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of internet-facing services and endpoint devices,” the agency said in its advisory.

CISA said these actors typically conduct their intrusions through servers or “hop points” from China-based IP addresses that resolve to various Chinese ISPs. Most usually they obtain these by leasing them from hosting providers. These are used to register and access operational email accounts, host C2 domains, and interact with their target networks. They also serve as a useful obfuscator when doing so.

The agencies warned the groups behind these intrusions are consistently evolving and adapting their tactics, techniques and procedures (TTPs), and have even been observed monitoring the activity of network defenders and changing things up on the fly to outwit them. They also mix their customised tools with publicly available ones – notably ones native to their target environments – to blend in, and are quick to modify their infrastructure and toolsets if information on their campaigns becomes public.

Many of the vulnerabilities used are well-known ones, some of them dating back four years or more. They include CVE-2018-0171, CVE-2019-1652, CVE-2019-15271, all remote code execution (RCE) bugs in Cisco hardware; CVE-2019-16920, an RCE vulnerability in D-Link hardware; CVE-2017-6682, another RCE vulnerability in Netgear products; and CVE-2020-29583, an authentication bypass vulnerability in Zyxel kit.

Products from DrayTek, Fortinet, MikroTik, Pulse and QNAP are also highlighted as vulnerable in the advisory. Included in the list is CVE-2019-19781, the infamous RCE flaw in Citrix Application Delivery Controller and Gateway products, which caused chaos when it was discovered in 2019 and to this day remains one of the most popularly exploited vulnerabilities by malicious actors.

Given this rapid evolution, CISA is advising defenders to ensure their systems and products are kept updated and patched at all times, as well as enforcing multifactor authentication (MFA) for all users and in particular, given the exploitation of home devices, on VPN connections used by remote users. The full guidance can be read in the advisory here.

ESET global cyber security advisor Jake Moore commented: “Access to telecommunication networks allows more extensive attacks to be elevated from the given platform. Once on board, attackers can target other networks and cause serious damage. Advanced persistent threat groups are increasing in power and sophistication and such targets remain under fire, acting as a hub of potential lines of further attack.

“Reducing lateral movement by taking particular networks offline to segregate them helps mitigate the sideways attacks plus bolstering logon methods to include more robust multifactor authentication also helps reduce this risk.”