Today, the NSA issued the Cybersecurity Advisory “Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities” – a list of 25 known vulnerabilities that it warns are currently being exploited actively “against networks of interest that hold sensitive intellectual property, economic, political, and military information. Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts.
The new list of top 25 vulnerabilities being exploited by Chinese hacking is a great reminder that the easiest protection against cyber attacks is keeping your operating systems, applications, devices, and software patched and up to date. For organizations that can’t keep up to date or don’t have the resources to keep their software up to date, they should look into virtual patching solutions that protect the application, like the ones offered by RASP (Runtime Application Self-Protection) solutions, which are now mandated by the latest version of the NIST SP800-53 Revision 5 Security and Privacy Framework. RASP solutions also protect the organization against new and unpatched vulnerabilities.
We definitely saw an increase in this situation last year and it’s ongoing. They’re trying to collect intellectual property data. Chinese attackers could be nation state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies… in other words, to steal and use for their own gain.
I’m glad that the NSA has issued this. Publishing this report reinforces the work that companies need to do to secure their intellectual property, and pushes them to make the patches and maintenance they need to do.
It’s disappointing to see the NSA refer to threat actors as hackers. I hope this changes. Many in the hacking community are legitimate security researchers who alert companies to vulnerabilities in order to secure – not steal – their intellectual property. Many other agencies and Federal entities (such as the Department of Defense) collaborate closely with the hacking community and their vulnerability disclosure programs define the research scope, contact processes, etc. – to help ensure that vulnerabilities are identified and addressed before threat actors can move on them.