China-nexus threat actors are getting better and quicker at weaponising and deploying exploits for newly discovered common vulnerabilities and exposures (CVEs), and in the past 12 months leveraged new vulnerabilities at a “significantly elevated” rate when compared to 2020, according to CrowdStrike’s eighth annual Global threat report.
CrowdStrike Intelligence said it had confirmed the exploitation of two vulnerabilities published in 2020 by China-nexus advanced persistent threat (APT) actors – in Oracle WebLogic and Zoho ManageEngine, respectively – but that last year it was able to confirm 12 vulnerabilities and nine different products being exploited, linked to 10 known APTs, including the infamous Wicked Panda (aka APT41 or Barium).
The analysts said that although Chinese APTs have long developed and deployed their own exploits in the targeted intrusions, 2021 saw an increased volume of activity from Chinese APTs, highlighting an evolution in how these groups go about their work.
“For years, Chinese actors relied on exploits that required user interaction, whether by opening malicious document or other files attached to emails or visiting websites hosting malicious code,” wrote the report’s authors.
“In contrast, exploits deployed by these actors in 2021 focused heavily on vulnerabilities in internet-facing devices or services.”
Among the vulnerabilities favoured by Chinese APTs in 2021 were the Microsoft Exchange bugs collectively known as ProxyLogon and ProxyShell, and other networking products such as VPNs and routers. They are also increasingly looking to enterprise software products hosted on internet-facing servers.
CrowdStrike’s team assessed that these exploits are largely being independently developed in-house or, in a new twist, acquired from legitimate sources in China.
“In particular,” the team wrote, “the Tianfu Cup hacking competition demonstrates the significant exploitation development talent within China’s hacking community.
“Exploits submitted at the Tianfu Cup have later been acquired by Chinese targeted intrusion actors for use in their operations. In several 2021 incidents, Chinese actors demonstrated an ability to rapidly operationalise public proof-of-concept exploit code.”
The latest edition of the report highlights the ongoing adaptation of state-linked targeted intrusion adversaries to new opportunities and strategic requirements, and not just among those linked to China. The other Big Four nation state adversaries – Russia, Iran and North Korea – also employed new forms of tradecraft in 2021, such as targeting IT and cloud services providers in Russia’s case, while the Iranians now favour masking their intrusions behind ransomware attacks, and the North Koreans have shifted their focus to crypto-linked targets to maintain their cashflow.
Beyond the Big Four, and other governments with established cyber capabilities, CrowdStrike debuted two new “adversary animals” on its threat matrix in 2021 – Wolf for Turkey and Ocelot for Colombia, joining the likes of Bear (Russia), Panda (China) and Kitten (Iran). This underscores an increase in offensive capabilities beyond governments traditionally linked to cyber ops, and highlights the growing variety of national goals.
CrowdStrike also noted the contribution of what it terms private sector offensive actors or “hackers for hire” – Israeli malware developers NSO Group and Candiru fall into this category – and the continued development and proliferation of grassroots hacktivist groups – such groups are assigned the moniker Jackal in its animal-themed matrix – particularly in Belarus and Iran.