China Hacks Big Network Providers and Devices

CISA, the FBI and NSA have released yet another joint advisory, this time warning that China has infiltrated a broad group of public and private sector organizations.

They do this by attacking well known vulnerabilities that have not been patched in the infrastructure of major telecommunications companies and network service providers. The hackers also attack endpoints like SOHO routers and Network Attached Storage that are not patched. Sometimes it is as simple as the ISP using the same password everywhere and that password gets out into the wild.

This does not appear to be the vendors’ fault as there are patches available, just not installed.

Among the vendors being compromised are Cisco, Citrix, D-Link, Fortinet, Netgear and Pulse, among others.

Once they break in, they attack password databases, which allow them to expand their reach.

An additional problem is that there is a large amount of equipment that is still in use that is past end-of-life and hence is not being patched by the vendor.

The Chinese hackers are also setting up encrypted tunnels on the compromised systems to move the data to external servers, often in the country under attack, so the traffic does not stand out.

Even if you deploy patches after the attackers get in, that usually will not lock them out, so the process of removing their access is hard.

More information and recommendations are available here:

CISA, CISA and Bleeping Computer