Chinese hackers are exploiting vulnerabilities in network devices to harvest data and steal credentials from telecoms companies and their customers, US cybercrime agencies have warned.
In a rare joint advisory, the US government cybersecurity agency CISA, the National Security Agency (NSA) and the FBI said unpatched network devices and routers appear to present “a series of high-severity vulnerabilities” that have been exploited by the Chinese government-backed hackers to access “vulnerable infrastructure”. These devices are often overlooked by routine cybersecurity precautions, the notice warns.
Devices manufactured by companies including Cisco, Citrix and Netgear are among those vulnerable, the notice says. These cover equipment ranging from small and home office routers to equipment deployed in enterprise networks.
How are Chinese hackers targeting network infrastructure?
Chinese hackers have been trying to take advantage of these vulnerabilities since 2020, the notice says. They scan individual pieces of equipment for vulnerabilities, which they can then use to gain access to wider telecoms infrastructure or related corporate networks, stealing log-in credentials or accessing other information.
“Upon gaining an initial foothold into a telecommunications organisation or network service provider, [Chinese] state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorisation, and accounting,” the advisory says.
This potentially gives the criminals the opportunity to steal more information. “Access to telecommunication networks allows more extensive attacks to be elevated from the compromised platform,” says Jake Moore, global cybersecurity adviser at ESET. “Once on board, attackers can target other networks and cause serious damage. Advanced persistent threat groups are increasing in power and sophistication and such targets remain under fire, acting as a hub of potential lines of further attack.”
Network devices are often left unpatched
The advisory recommends that organisations patch their devices and software as soon as possible after updates are released, as well as using other security tactics such as multi-factor authentication (MFA) and data back-ups. “Bolstering log on methods to include more robust MFA helps reduce this risk,” Moore agrees.
Updates to networking devices deployed in the field are often overlooked, causing heightened security risks. This is something which is being addressed in the UK through the Product Security and Telecommunications Infrastructure bill, announced by the government last month as part of the Queen’s speech. It will confer new responsibilities on manufacturers of connected devices such as routers and IoT systems, outlawing the use of default passwords, specifying how long security updates will be provided after the device is launched, and mandatory disclosure of known vulnerabilities.
“The three key requirements being brought in seem obvious to many in the security industry, but very few manufacturers have chosen to voluntarily follow these recommendations as the consequences have only ever impacted customers or users, never themselves,” said James Bore, security specialist and director of the Bores Group.
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.