contact us

From Behind a Great Wall these Vulnerabilities Open Doors

Nov 10, 2020

Read about what we learned from the NSA alert about Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities. The top 25 vulnerabilities listed in the security advisory were analyzed for interesting correlations and security take-aways. 

Here are the ways we looked at this alert:

Analysis of weaponization

  • 12 CVEs have RCE capabilities
  • 6 CVEs are associated with APT Groups (APT41, APT33, APT39, APT5, Cadelle, Chafer, APT39, OilRig (APT34), Axiom, Night Dragon, Soft Cell)
  • 4 CVEs are associated with Ransomware
  • 3 CVEs with Privilege Execution
  • 1 CVE is associated with Lazarus Malware 

For those using RiskSense, this analysis is already incorporated into the solution. Selecting the system filter NSA-Chinese State Actors will show all of the open host findings and the adversarial impact reflected automatically by the detailed risk-based prioritization. 

The full listing of the 18 CVE’s and their exploit details are provided by our research and partner relationship with Cyber Security Works. 

Let’s look at each category:

Association with Common Weakness Enumeration

21 of the 25 weaponized ranks among the Top 25 Common Weakness Enumeration (CWE). The remaining 4, rank closely behind in the Top 30 current CWE listing.

Exploit Kit Analysis

 Our threat researchers analyzed the constant cybercriminal activity related to exploit kits and found CVE-2019-19781 and CVE-2019-11510 associated with four exploit kits. We also noticed that older exploit kits such as the RIG exploit kit, Fallout exploits kit are getting upgraded with the newer elements and capabilities. 

  • CVE-2019-19781 – RIG Exploit kit, Fallout exploit kit
  • CVE-2019-11510 – Fallou, Spelvo

Associated with Ransomware

We also found that four CVEs out of 25 are associated with 21 Ransomware families. Interestingly these old vulnerabilities range from the year 2019. 

CVE-2019-19781

  • CLOP
  • NOTROBIN 
  • Ragnarok
  • Sodinokibi 
  • Vatet loader
  • REVIL
  • Golang Ransomware
  • MEGA CORTEX
  • SNAKE
  • DoppelPaymer
  • Bitpaymer 
  • Dridex 2.0
  • Neifilm
  • Nemty

CVE-2019-11510

  • Black Kingdom 
  • Sodinokibi
  • Maze

 CVE-2019-3396

  • GandCrab
  • Lockergoga
  • Megacortex

CVE-2019-18935

  • Netwalker

Not all organizations have the resources or time to do this level of vulnerability assessment. RiskSense Risk-Based Vulnerability Management solution makes organizations smarter about security providing this built-in threat context. Take your scan data and make it more actionable, see how system threat filters work in action and walk away with the proof needed to modernize your vulnerability management program. Contact us today to enroll in a ‘proof of work’ engagement.