Three U.S. national security agencies — CISA, the FBI and the NSA — issued a joint advisory Thursday naming the 20 infosecs exploited by state-sponsored Chinese threat actors since 2020.
The list reads like a hit parade of recent security SNAFUs, with remote code executions like Log4j and Atlassian and a handful of Microsoft bugs topping the charts.
The Cybersecurity and Infrastructure Security Agency, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) said they collectively identified the People’s Republic of China’s (PRC) state-sponsored cyber activities as “one of the largest and most dynamic threats facing China.” “consider U.S. government and civilian networks.”
“NSA, CISA and FBI understand that PRC state-sponsored cyber actors have been actively targeting US and allied networks and software and hardware companies to steal intellectual property and gain access to sensitive networks,” added the authorities.
Threat actors use VPNs to obfuscate their locations and activities and penetrate through web-based applications. Many of the vulnerabilities allow unauthorized access to sensitive networks and, once present, can leak into connected networks.
The remedial actions recommended by CISA seem obvious but are worth repeating: updating and patching systems, using phishing-resistant multi-factor authentication and unique passwords, blocking unused protocols, upgrading or replacing kits on a schedule, Trusting no one and monitoring logs.
While CISA, the FBI, and the NSA made their Top 20 Vulns list, the Department of Defense (DoD) made another list.
The DoD list includes Chinese companies that have either direct or indirect operations in the United States in 2021 that may appear like civilian operations but are linked to the Chinese military.
“The Ministry is determined to highlight and counter the PRC’s military-civilian fusion strategy, which supports the modernization goals of the People’s Liberation Army (PLA) by ensuring their access to advanced technologies and expertise from PRC companies, universities and universities it acquires and develops research programs that appear to be civilian facilities,” the Defense Ministry said on Wednesday.
The list already included many names that are also separately considered national security threats, such as China Unicom, China Mobile, and China Telecom. Huawei, Hikvision, SMIC, unsurprisingly, also had points in the first version of the list published on June 3, 2021.
The 13 additions for fiscal 2021 include drone maker DJI; CCTV maker Dahua (already listed as a national security threat, and; Cloudwalk Technology – a software company accused of developing facial recognition software that can be used against ethnic minorities.
Cloudwalk and DJI are already on another list that bans any financial support from the US on the grounds that they are actively involved in the oppression and surveillance of China’s Uyghur population. ®
https://www.theregister.com/2022/10/07/us_spooks_reckon_these_are/ US Authorities Name China’s 20 Favorite Vulnerabilities to Exploit • The Register