Image: Getty/Deagreez

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have listed the top 20 software flaws that China-funded hackers have been using to compromise networks since 2020. 

The advisory emphasizes that China-backed hackers actively target not just the networks of the US government and its allies but also software and hardware companies in the supply chain to steal intellectual property and gain access to sensitive networks. These hackers are an active threat to the IT and telecoms sector, the defense industrial base, and critical infrastructure owners and operators. 

Privacy

• How to delete yourself from internet search results and hide your identity online
• The best browsers for privacy
• Samsung's smartphone 'Repair Mode' stops technicians from viewing your photos
• Are period tracking apps safe?

"NSA, CISA, and FBI continue to assess [People's Republic of China] PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks," they note. 

Also:White House warns: Do these 8 things now to boost your security ahead of potential Russian cyberattacks

CISA this week disclosed that several state-backed hacking groups were active on defense industrial base enterprise networks after gaining access through their Microsoft Exchange Server infrastructure from around mid-January 2021. Exchange Server is now under attack by newly discovered flaws similar to last year's ProxyShell.

Among the top 20 flaws used by China-backed hackers are four Microsoft Exchange Server flaws: CVE-2021-26855, a remote code execution bug, as well CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. These are all part of the the Exchange Server ProxyLogon pre-authentication vulnerabilities disclosed in 2021.   

Microsoft in July warned these bugs were being used in combination with malware tailored for networks using Microsoft's Internet Information Services (IIS) web server to host Outlook on the web. 

Other commonly used flaws include those in Apache Log4Shell, and flaws in code-hosting site GitLab, F5's network gear, VPN endpoints, and popular server products from VMware, Cisco, and Citrix. 

All the bugs are publicly known and present a risk for organizations that haven't applied available firmware and software updates. 

The GitLab and Atlassian Confluence bugs stand out as examples of hackers targeting developer and IT operations tools.   

"These state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access," CISA notes. 

Many of the top 20 vulnerabilities "allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks," it added. 

The agencies recommend patching systems, using multi-factor authentication, disabling unused protocols at the network edge, ditching end-of-life devices, adopting a model that trusts no person, device or app, and enabling logging of internet-facing systems.  

The top flaws used since 2020 are listed in the table below.

Vendor	CVE	Vulnerability Type
Apache Log4j	CVE-2021-44228	Remote Code Execution
Pulse Connect Secure	CVE-2019-11510	Arbitrary File Read
GitLab CE/EE	CVE-2021-22205	Remote Code Execution
Atlassian	CVE-2022-26134	Remote Code Execution
Microsoft Exchange	CVE-2021-26855	Remote Code Execution
F5 Big-IP	CVE-2020-5902	Remote Code Execution
VMware vCenter Server	CVE-2021-22005	Arbitrary File Upload
Citrix ADC	CVE-2019-19781	Path Traversal
Cisco Hyperflex	CVE-2021-1497	Command Line Execution
Buffalo WSR	CVE-2021-20090	Relative Path Traversal
Atlassian Confluence Server and Data Center	CVE-2021-26084	Remote Code Execution
Hikvision Webserver	CVE-2021-36260	Command Injection
Sitecore XP	CVE-2021-42237	Remote Code Execution
F5 Big-IP	CVE-2022-1388	Remote Code Execution
Apache	CVE-2022-24112	Authentication Bypass by Spoofing
ZOHO	CVE-2021-40539	Remote Code Execution
Microsoft	CVE-2021-26857	Remote Code Execution
Microsoft	CVE-2021-26858	Remote Code Execution
Microsoft	CVE-2021-27065	Remote Code Execution
Apache HTTP Server	CVE-2021-41773	Path Traversal

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next