“It might seem like deja vu, but the truth is, many state-sponsored threat actors including those linked to the People’s Republic of China continue to exploit legacy vulnerabilities to gain initial access to organisations. If there’s one thing threat actors love, it’s legacy, unpatched vulnerabilities.

“Many of the vulnerabilities outlined in today’s advisory by CISA, the NSA and the FBI overlap with vulnerabilities used by other state-sponsored threat actors, including those with links to the Iranian Islamic Revolutionary Guard Corps (IRGC), along with several other joint cybersecurity advisories published by CISA over the years. The most common amongst all of the advisories are a number of flaws in VPNs like Citrix (CVE-2019-19781) and Pulse Secure (CVE-2019-11510), which, despite being patched over two years ago, remain a valuable asset for threat actors seeking to gain initial access.

“The advisory notes that CVE-2021-44228, also known as Log4Shell, has been exploited by these threat actors following its discovery in December 2021. Considering the widespread use of Apache Log4j, it’s no surprise that this flaw has been integrated into the playbooks of these attackers, as we know that Log4Shell is a legacy vulnerability that will remain a problem for years to come.

“It is also important to note that these state-sponsored threat actors are exploiting flaws in Microsoft Exchange Server, including ProxyLogon (CVE-2021-26855) and associated flaws that were first disclosed in early 2021. ProxyLogon continues to be leveraged as part of attacks in the wild, along with a more recent set of Exchange Server bugs, known as ProxyShell. Recently, attackers were spotted exploiting a pair of zero-day vulnerabilities in Exchange Server, which researchers have called ProxyNotShell. The researchers that discovered these actively exploited flaws believed they were being leveraged by Chinese threat actors, which underscores the high value in Exchange Server as a target for these types of threat actors. Patching Exchange Server is no simple task, which is a contributing factor in the continued exploitation of flaws like ProxyLogon. The added bonus of leveraging these flaws is the ability for threat actors to install web shells on compromised Exchange Servers, which enables repeated access even after patches have been applied.

“For organisations, these joint advisories provide a blueprint into the way these threat actors seek to gain access to targeted networks, so it is vital that organizations are able to identify vulnerable assets and patch them in a timely manner to cut off potential avenues of exploitation.”- Satnam Narang, Sr. Staff Research Engineer, Tenable