Skip links

Top of the Pops: US authorities list the 20 hottest vulns that China’s hackers love to hit

Three US national security agencies – CISA, the FBI and the NSA – on Thursday issued a joint advisory naming the 20 infosec exploited by state-sponsored Chinese threat actors since 2020.

The list reads like a hit parade of recent security SNAFUs, with remote code executions like Log4j and Atlassian topping the charts, as well as a handful of Microsoft bugs.

The Cybersecurity and Infrastructure Security Agency, National Security Agency (NSA) and Federal Bureau of Investigation (FBI) stated they collectively consider the People’s Republic of China (PRC) state-sponsored cyber activities as “being one of the largest and most dynamic threats to U.S. government and civilian networks.”

“NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks,” added the agencies.

The threat actors use VPNs to obfuscate their locations and activities and make their way in via web-facing applications. Many of the vulnerabilities allow for unauthorized access to sensitive networks, and once in, they can move into connected networks.

CISA’s recommended mitigations seem obvious, but are worth repeating: update and patch systems, use phishing-resistant multi-factor authentication and unique passwords, block unused protocols, upgrade or replace kit on schedule, trust no one, and monitor logs.

While CISA, the FBI and NSA were creating their top 20 vulns list, the Department of Defense (DoD) was making another list.

The DoD list is of Chinese companies operating either directly or indirectly within the US during 2021, and which may appear to be civilian operations but are tied to the Chinese military.

“The Department is determined to highlight and counter the PRC Military-Civil Fusion strategy, which supports the modernization goals of the People’s Liberation Army (PLA) by ensuring its access to advanced technologies and expertise are acquired and developed by PRC companies, universities, and research programs that appear to be civilian entities,” said the DoD on Wednesday.

The list already included many names that are also deemed separately as national security threats like China Unicom, China Mobile and China Telecom. Huawei, Hikvision, SMIC also unsurprisingly had spots on the initial version of the list released on June 3, 2021.

The 13 additions for FY 2021 include drone-maker DJI; CCTV manufacturer Dahua (already listed as national security threat, and; Cloudwalk Technology – a software company accused of developing facial recognition software that can be weaponized against ethnic minorities.

Cloudwalk and DJI are already on another list that bans any US financial support on grounds they are active participants in the repression and surveillance of China’s Uyghur population. ®