Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities

On October 20, the National Security Agency (NSA) published a detailed security advisory to warn organizations about Chinese state-sponsored "cyber actors" exploiting known vulnerabilities. The advisory offers mitigation and patching strategies for network defenders and notes that internet-facing assets like remote access tools and external web services are key targets for threat actors. The advisory lists a non-exhaustive list of 25 CVEs actively being used by the state-sponsored attackers. While the NSA alert focused primarily on National Security Systems, it ends with a broader warning, "Due to the various systems and networks that could be impacted by the information in this product [the NSA alert] outside of these sectors, NSA recommends that the CVEs above be prioritized for action by all network defenders."

Just two days later, the Cybersecurity and Infrastructure Security Agency (CISA) released an joint advisory with the Federal Bureau of Investigation (FBI) warning about Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. According to the alert, identified as AA20-296A, the attackers are leveraging five publicly known vulnerabilities in attacks. Three of the five vulnerabilities listed in this advisory were also in the NSA alert. The analysis from the report states that the malicious actors are using user or administrative credentials to access the network, then using lateral movement to locate and exfiltrate high value data including:

• Sensitive network configurations and passwords.
• Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
• IT instructions, such as requesting password resets.
• Vendors and purchasing information.
• Printing access badges.

As both of these advisories note, attackers are leveraging publicly known vulnerabilities. These notices are the latest in a series of alerts this year from government agencies warning about threat actors leveraging known vulnerabilities with patches available. 

For more information about the vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.