The SafeBreach Hacker’s Playbook™ already has coverage on attack methods described in **US-CERT Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity **which addresses Chinese MSS-affiliated actors using open-source information to use readily available exploits and toolkits to leverage known vulnerabilities
The Hacker’s Playbook™ is up to date in coverage for this alert, no new methods were added as the SafeBreach Labs team has been adding attack methods over the years that address US-CERT Alert (AA20-258A). Our clients have been testing and safeguarding their network against the attacks noted, such as Mimikatz, China Chopper, and Pulse VPN.
It is important to note that this alert addresses well-known vulnerabilities that are being exploited in this attack campaign:
- CVE-2020-5902: F5 Big-IP Vulnerability
- CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances
- CVE-2019-11510: Pulse Secure VPN Servers
- CVE-2020-0688: Microsoft Exchange Server
Prioritizing vulnerabilities is a challenge most organizations struggle with because there are far too many vulnerabilities that are classified as high-priority. Adopting a Risk-Based Vulnerability Management to gain data-driven insights into which vulnerabilities are actually exploitable in your environment is critical. Correctly identifying which high-priority vulnerabilities truly constitute risk enables security teams to ensure they are all mitigated, so a company will not suffer damage from these attacks.
What you should do now
The new attack methods for US-CERT AA20-258A are already in the SafeBreach Hacker’s Playbook and ready to be run across your simulators. The Known Attack Series report is being updated so you can run the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT Alert AA20-258A (Chinese MSS-affiliated actors) report and select Run Simulations which will run all the attack methods.