CISA warns that foreign threat actors from China and Iran are routinely targeting unpatched vulnerabilities across government agencies and U.S.-based networks.
Background
On September 14 and September 15, the Cybersecurity Infrastructure Security Agency (CISA) published two separate alerts detailing malicious activity from foreign threat actors:
- AA20-258A: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
- AA20-259A: Iran-based Threat Actor Exploits VPN Vulnerabilities
According to CISA, these foreign threat actors have been leveraging a number of unpatched vulnerabilities across a variety of networking devices and mail server software as part of a concerted effort to breach organizations. CISA has observed these attacks against federal government agencies and other networks based in the United States.
The table below contains the list of vulnerabilities mentioned in both alerts (with the exception of CVE-2019-11539, which appears only in AA20-259A):
CVE | Product | CVSSv3 | Tenable VPR* | Disclosed |
---|---|---|---|---|
CVE-2019-11510 | Pulse Connect Secure | 10.0 | 10 | Apr 2019 |
CVE-2019-11539 | Pulse Connect Secure | 7.2 | 9.6 | Apr 2019 |
CVE-2019-19781 | Citrix Application Delivery Controller and Gateway | 9.8 | 9.9 | Dec 2019 |
CVE-2020-0688 | Microsoft Exchange Server | 8.8 | 9.8 | Feb 2020 |
CVE-2020-5902 | F5 BIG-IP | 9.8 | 9.9 | Jul 2020 |
*Please note Tenable VPR scores are calculated nightly. This blog post was published on September 17 and reflects VPR at that time.
The vulnerabilities in these alerts were disclosed between April 2019 and July 2020. These threat actors are banking on the fact that organizations are slow to apply patches on these devices.
Analysis
CVE-2019-11510, CVE-2019-11539: Pulse Connect Secure Vulnerabilities
CISA reports that foreign threat actors in China and Iran are exploiting flaws in Pulse Connect Secure, a popular commercial virtual private network (VPN) solution. These vulnerabilities were originally patched back in April 2019. However, they began to garner more attention after researchers Orange Tsai and Meh Change of the DEVCORE research team disclosed their findings for these vulnerabilities at the Black Hat and DEFCON conferences in August 2019. A proof of concept (PoC) was released for CVE-2019-11510, a pre-authentication arbitrary file disclosure vulnerability that is used to read sensitive information from the Pulse Connect Secure device, including configuration settings. Soon after the release of the PoC, reports emerged that attackers had begun to exploit the flaw in the wild.
The Iran-based threat actor referenced in AA20-259A is also utilizing CVE-2019-11539, a post-authentication command injection vulnerability in the Pulse Connect Secure administrative web interface that could allow an attacker to inject and execute commands on the device. Because CVE-2019-11510 is a pre-authentication vulnerability used to gather admin credentials, attackers are chaining it together with CVE-2019-11539 to gain a Secure Shell (SSH) shell on the vulnerable device with root privileges. Researchers Alyssa Herrera, Justin Wagner and Mimir published a blog post showing how this process works.
CVE-2019-11510 has become a popular tool in the attackers’ toolkit. In January 2020, reports emerged that the vulnerability had been used as part of the Sodinokibi ransomware attacks. CISA also included this vulnerability in its Top 10 Routinely Exploited Vulnerabilities alert in May as one of two vulnerabilities that were routinely exploited by foreign threat actors in 2020.
CVE-2019-19781: Citrix Directory Traversal Vulnerability
In December 2019, Citrix published an advisory for a directory traversal vulnerability in its Application Delivery Controller (ADC) and Gateway products. At the time, they did not provide a patch for the flaw.
A few weeks after disclosing this vulnerability, researchers began to observe attempts to exploit the flaw in the wild. Several researchers shared some technical information in blog posts detailing the flaw, which ultimately led to the publication of exploit scripts. Soon after, attackers began to actively exploit the vulnerability en masse while patches remained unavailable until one month after its initial disclosure.
Just like CVE-2019-11510, CVE-2019-19781 was also included by CISA in its Top 10 Routinely Exploited Vulnerabilities alert.
CVE-2020-0688: Microsoft Exchange Server Static Key Flaw
In February 2020, Microsoft published an advisory for a severe vulnerability in Microsoft Exchange Server that was initially mislabeled as a memory corruption flaw. The vulnerability, identified as CVE-2020-0688, is a static key vulnerability in a component of Exchange Server called the Microsoft Exchange Control Panel (ECP).
A detailed breakdown of the flaw was published on the Zero Day Initiative blog, which clarified that exploitation would require the attacker to obtain valid user credentials from the targeted Exchange Server. This requirement was deemed “not a big hurdle” by security researcher Kevin Beaumont, who noted that the availability of open-source tools can be used to scrape LinkedIn pages for employee names, which can then be leveraged as part of credential stuffing attacks.
At the time, Beaumont also noted that organizations were “averaging in the years rather than months behind” patching their Microsoft Exchange Servers. Clearly that has proven to be valuable for foreign threat actors who have leveraged this flaw as part of their attacks.
CVE-2020-5902: F5 BIG-IP Unauthenticated Command Execution Vulnerability
At the end of June 2020, F5 published an advisory for CVE-2020-5902, a critical command execution vulnerability in its BIG-IP family of products. The vulnerability exists in the BIG-IP Configuration Utility, referred to as the Traffic Management User Interface (TMUI). To exploit the flaw, the TMUI would need to be exposed through a BIG-IP management port or Self IPs.
Ben Goerz, a senior manager of counter-threat management at Kimberly-Clark, tweeted that default configurations of BIG-IP devices are vulnerable to CVE-2020-5902 due to the usage of Self IPs. A senior security engineer at F5 confirmed in a tweet that while BIG-IP versions 11.5.2 and prior use Self IPs by default, this configuration no longer applies in BIG-IP versions 11.5.3 and later.
At the time, researcher Nate Warfield identified over 8,000 publicly accessible hosts with management ports exposed. Soon after its disclosure, reports emerged that threat actors were actively exploiting CVE-2020-5902. This vulnerability has proven to be a valuable commodity for both cybercriminals and foreign threat actors.
Unpatched vulnerabilities are a boon for cybercriminals and threat actors
The Top 10 Routinely Exploited Vulnerabilities alert highlights an important point: Threat actors do not need to spend capital obtaining or developing zero-day vulnerabilities, or burn the ones they already have, when unpatched vulnerabilities remain a consistent challenge for organizations. This challenge is reinforced by easy access to publicly available PoC and exploit scripts that attackers can repurpose as-is in order to breach organizations.
In June 2020, the Australian Cyber Security Centre published a report titled “Copy-Paste Compromises,” which details a concerted effort by foreign threat actors to target governments and organizations by copy-pasting PoC and exploit script code. Both CISA alerts highlight the exact same challenge: Readily accessible PoC and exploit scripts, and the presence of unpatched vulnerabilities, make it that much easier for cybercriminals and foreign threat actors to breach governments and organizations across the world.
Proof of concept
All of the vulnerabilities identified in the CISA alerts have had public PoC code and exploit scripts available soon after they were publicly disclosed. For many of the CVEs, multiple PoCs and exploit scripts have been published. We have shared a small subset of these in the table below:
CVE | Source URL |
---|---|
CVE-2019-11510 | GitHub |
CVE-2019-11510 | GitHub |
CVE-2019-11510 | GitHub |
CVE-2019-11539 | GitHub |
CVE-2019-19781 | GitHub |
CVE-2019-19781 | GitHub |
CVE-2019-19781 | GitHub |
CVE-2020-0688 | GitHub |
CVE-2020-0688 | GitHub |
CVE-2020-0688 | GitHub |
CVE-2020-5902 | GitHub |
CVE-2020-5902 | GitHub |
CVE-2020-5902 | GitHub |
Solution
With the exception of CVE-2019-19781, patches were made available for these vulnerabilities at the time the advisories were published. In the case of CVE-2019-19781, patches were not made available until one month after the initial advisory.
Please refer to the individual advisories below to determine which patch to apply for your specific device.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities can be found below:
Get more information
- CISA Alert AA20-258A
- CISA Alert AA20-259A
- CISA Top 10 Routinely Exploited Vulnerabilities
- Tenable Blog for CVE-2019-11510 and CVE-2019-11539
- Tenable Blog for CVE-2019-11510 Exploited in the Wild
- Tenable Blog for CVE-2019-11510 Used in Ransomware Attacks
- Tenable Blog for CVE-2019-19781
- Tenable Blog for CVE-2019-19781 Exploit Scripts
- Tenable Blog for CVE-2019-19781 Exploited in the Wild
- Tenable Blog for CVE-2020-0688
- Tenable Blog for CVE-2020-5902
- Tenable Blog for Copy-Paste Compromises
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.