Zero-Days in Edge Devices Become China's Cyber Warfare Tactic of Choice

Cyber Security Threat Summary:
Over the past five years, Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. They have also placed a strong emphasis on operational security and anonymity These changes have been influenced by both internal factors like military restructuring and changes in domestic regulations, as well as external factors including reporting by Western governments and the cybersecurity community. This evolution has made it more challenging for organizations, governments, and the cybersecurity community to defend against these threats. Due to the focus on exploiting novel vulnerabilities in public-facing devices, a vulnerability-centric defense approach is inadequate, emphasizing the need for better defensive in-depth measures to detect post-exploitation activities.

Security Officer Comments:
These cyber groups exhibit adaptability responding to geopolitical events. For instance, they’ve adjusted targeting patterns in response to specific events such as geopolitical tensions between India and China, the Hong Kong protests, and the COVID-19 pandemic, showcasing their strategic alignment with broader state objectives. The technical evolution illustrates a deliberate shift toward precision targeting, enhanced operational security and an agile response framework marking an notable transformation in Chinese state sponsored cyber operations.

Suggested Correction(s):
Researchers at Recorded Future have published the following mitigations:

  • Ensure a risk-based approach for patching vulnerabilities, prioritizing high-risk vulnerabilities and those being exploited in the wild. With regard to Chinese state-sponsored groups, pay particular attention to remote code execution (RCE) vulnerabilities in external-facing appliances within your environment.
  • Ensure security monitoring and detection capabilities are in place for all external-facing services and devices. Monitor for follow-on activity likely to take place following exploitation of these external-facing services, such as the deployment of web shells, backdoors, or reverse shells, and subsequent lateral movement to internal networks.
  • Practice network segmentation, such as isolating internet-facing services in a network demilitarized zone (DMZ).
  • Enforce multi-factor authentication (MFA) on all VPN connections and consider implementing anomaly detection for VPN connections.
  • By monitoring Malicious Traffic Analysis (MTA), Recorded Future clients can alert on and proactively monitor infrastructure that may be potentially involved in notable communication to known C2 IP addresses.