Skip links

Beijing-backed baddies target unpatched networking kit to attack telcos

State-sponsored Chinese attackers are actively exploiting old vulnerabilities to “establish a broad network of compromised infrastructure” then using it to attack telcos and network services providers.

So say the United States National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI), which took the unusual step of issuing a joint advisory that warns allied governments, critical infrastructure operators, and private industry organizations to hurry up and fix their IT estates.

The advisory states that network devices are the target of this campaign and lists 16 flaws – some dating back to 2017 and none more recent than April 2021 – that the three agencies rate as the most frequently exploited.

Attackers blend into the noise or normal activity of a network.

China has not had to work hard to run this campaign. The advisory suggests Beijing’s minions use open source tools like RouterSploit and RouterScan to find potentially vulnerable boxes.

Unpatched boxes are easily compromised – especially when they’re routers installed at homes or small businesses.

The Register has often remarked that such products are not easy to patch, and that advice of the need to update firmware seldom reaches their owners.

The three-agency advisory states that attackers use compromised devices to gain “an initial foothold into a telecommunications organization or network service provider.” They then hunt for users with valuable privileges and infrastructure that manages authentication, authorization, and accounting.

China programming code

Microsoft details how China-linked crew’s malware hides scheduled Windows tasks


The advisory describes one attack in which China-sponsored actors identified a critical Remote Authentication Dial-In User Service (RADIUS) server, then “gained credentials to access the underlying SQL database and utilized SQL commands to dump the credentials, which contained both cleartext and hashed passwords for user and administrative accounts.”

Once China’s attackers scored those creds, they used them with custom automated scripts to authenticate to a router via Secure Shell, then executed router commands and saved the output. Among the hauls were configuration info for each attached router.

“The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network,” the advisory states.

That manipulation included capture and exfiltration of traffic “out of the network to actor-controlled infrastructure.”

The attacks can be hard to spot, the advisory explains, because China’s hired miscreants “often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network.”

China-sponsored attackers can rely on help from what the three agencies describe as “compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers.”

“The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.”

The three agencies suggest 14 mitigations, most of which are common sense practices – patching systems, always using multifactor authentication, segmenting networks to prevent lateral movement, and disabling devices’ out of band management capabilities.

But the advisory warns constant vigilance is needed because the actors the document describes change their tactics in response to publication of analysis describing their exploits.

“Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns,” the advisory states. The attackers also change their methods after observing targets’ defensive actions.

The advisory itself may therefore spark a new wave of “innovation”, as it details the router commands the three agencies have observed. ®