NSA, CISA& FBI Alert on Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors – Check Point Customers Remain Fully Protected


Recently, the joint cybersecurity advisory (CSA) provided the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI).

In their alert NSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply best practices and Mitigations to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.

Security researchers at Check Point are constantly monitoring such vulnerabilities, and have been reporting exploitation attempts during the past year, such in the cases of Spring4Shell and the Log4j vulnerability.
Check Point Customers remain fully protected against all published exploited vulnerabilities.
Check Point IPS protections in our Next Generation Firewall are updated automatically and does not require actions from the users

The following graph shows the % monthly volume of impacted organizations worldwide seen during 2022, by attacks attempting to exploit these published vulnerabilities:

The statistics and data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints, and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research (CPR) – The intelligence & Research Arm of Check Point.

Remote Code Execution still leads as main vulnerability type

Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.
RCE vulnerabilities are some of the most risky and high-impact vulnerabilities today. Many major cyberattacks have been enabled by RCE vulnerabilities, including Log4j and the infamous WannaCry attack, which was spread by exploiting a vulnerability which allowed the attackers to execute a malicious code on vulnerable machines and enabling the ransomware to access.

12 out of the top CVE’s in the alert were remote code execution(RCE) vulnerabilities which outlines that These state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access.

Top vulnerabilities include:

Apache CVE-2021-44228 CVSS 3.0: 10 (Critical): A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system. Effecting Apache Log4j2 2.14.1 and prior. Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. It used by a vast number of companies worldwide, enabling logging in a wide set of popular applications.

Atlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance.

Microsoft CVE-2021-26855 CVSS 3.0: 9.8 (Critical): Microsoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor  who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity.

F5 CVE-2020-5902 CVSS 3.0: 9.8 (Critical): Threat actors massively exploited the critical vulnerability which affects multiple versions of all F5 BIG-IP modules, to drop malicious payloads. The company warned that the vulnerability enables an unauthenticated attacker on the BIG-IP system to run “arbitrary system commands, create or delete files, or disable services.”

Disruption to society

Cyber’s theoretical potential for major disruption to civic society just got real in 2022. At the start of the year, we had the continued fallout of Log4j, one of the most serious zero-day vulnerabilities we have ever seen. Any assumptions that it was a one-off event were soon put to bed as just a couple of months later, another huge zero-day vulnerability was found in the open-source Spring Framework – Spring4Shell. We also saw in H1 the demise of a significant malware family, Trickbot, but the good news ended there as the notorious malware Emotet has continued to dominate since its resurgence late last year.
Cyber Attack Trends: 2022 Mid-Year Report’ takes a closer look at how cyber-attacks have intensified in the first half of this year, highlighting a 42% global increase in attacks.

Check Point Customers are fully protected against all published exploited vulnerabilities

Check Point’s Quantum Intrusion Prevention System (IPS) prevented attempts to exploit weaknesses in vulnerable systems and applications, protecting in the race to exploit these vulnerabilities.
Check Point IPS protections in our Next Generation Firewall are updated automatically and does not require actions from the users.

Check Point’s Harmony Endpoint prevented log4j related attacks and accelerated detection and investigation of related breaches. Check Point’s teams created several detection and prevention signatures to protect endpoints from the log4j vulnerability. These signatures apply to both Windows and Linux endpoints. The signatures have been added to the Harmony Endpoint behavioral guard engine.
The engine adds a protection layer against advanced attacks by detecting suspicious operations in the behavior of processes.
Check Point’s Infinity Platform is the only security platform that offered pre-emptive protection for customers against recent Log4j exploits(Log4Shell). Leveraging contextual AI, the platform provides precise prevention of even the most sophisticated attacks, without generating false positives. Customer web applications remain safe as the security auto updates without the need for human intervention or CloudGuard AppSec provides zero-day protection from exploiting the Log4j vulnerability using Check Point Web Application Best Practice in Prevent mode.
As soon as the Log4j vulnerability was reported on December 9, all relevant protections were propagated through all of Check Point products (sk176884).

Enclosed is a detailed list of our IPS protections against all the published vulnerabilities by CISA:

Vendor CVE Vulnerability Type IPS Protection
Apache Log4j CVE-2021-44228 Remote Code Execution Apache Log4j Remote Code Execution (CVE-2021-44228)
Pulse Connect Secure CVE-2019-11510 Arbitrary File Read Pulse Connect Secure File Disclosure (CVE-2019-11510)
GitLab CE/EE CVE-2021-22205 Remote Code Execution GitLab CE Remote Code Execution (CVE-2021-22205)
Atlassian CVE-2022-26134 Remote Code Execution Atlassian Confluence Remote Code Execution (CVE-2022-26134)
Microsoft Exchange CVE-2021-26855 Remote Code Execution Microsoft Exchange Server Remote Code Execution (CVE-2021-26855)
F5 Big-IP CVE-2020-5902 Remote Code Execution F5 BIG-IP Remote Code Execution (CVE-2020-5902)
VMware vCenter Server CVE-2021-22005 Arbitrary File Upload VMWare vCenter Server Arbitrary File Upload (CVE-2021-22005)
Citrix ADC CVE-2019-19781 Path Traversal Citrix Multiple Products Directory Traversal (CVE-2019-19781)
Cisco Hyperflex CVE-2021-1497 Command Line Execution Cisco HyperFlex HX Command Injection (CVE-2021-1498)
Buffalo WSR CVE-2021-20090 Relative Path Traversal Buffalo Routers Directory Traversal (CVE-2021-20090)
Atlassian Confluence Server and Data Center CVE-2021-26084 Remote Code Execution Atlassian Confluence Remote Code Execution (CVE-2021-26084)
Hikvision Webserver CVE-2021-36260 Command Injection Hikvision Web Server Command Injection (CVE-2021-36260)
Sitecore XP CVE-2021-42237 Remote Code Execution Sitecore XP Remote Code Execution (CVE-2021-42237)
F5 Big-IP CVE-2022-1388 Remote Code Execution F5 BIG-IP Remote Code Execution (CVE-2021-22986)
Apache CVE-2022-24112 Authentication Bypass by Spoofing Apache APISIX Remote Code Execution (CVE-2022-24112)
ZOHO CVE-2021-40539 Remote Code Execution Zoho ManageEngine ADSelfService Plus Authentication Bypass (CVE-2021-40539)
Microsoft CVE-2021-26857 Remote Code Execution Microsoft Exchange Server Remote Code Execution (CVE-2021-26857)
Microsoft CVE-2021-26858 Remote Code Execution Microsoft Exchange Server Remote Code Execution (CVE-2021-26857)
Microsoft CVE-2021-27065 Remote Code Execution Microsoft Exchange Server Remote Code Execution (CVE-2021-26855)
Apache HTTP Server CVE-2021-41773 Path Traversal Apache HTTP Server Directory Traversal (CVE-2021-41773)


Keeping Organizations Safe and protected:

  • We strongly recommend users to patch their servers, operating systems (including mobile OS) and apps to prevent exploitations of such vulnerabilities
  • Intrusion Prevention System (IPS) prevents attempts to exploit weaknesses in vulnerable systems or applications, protecting you in the race to exploit the latest breaking threat. Updated IPS helps your organization stay protected.
  • Access Control: An RCE attack provides an attacker with a foothold on the enterprise network, which they can expand to achieve their final objectives. By implementing network segmentation, access management, and a zero trust security strategy, an organization can limit an attacker’s ability to move through the network and take advantage of their initial access to corporate systems.
  • Endpoint protections: Conventional signature-based Anti-Virus is a highly efficient solution for preventing known attacks and should definitely be implemented in any organization, as it protects against a majority of the malware attacks that an organization faces. In addition, comprehensive endpoint protection at the highest security level is crucial in order to avoid security breaches and data compromises
  • Check Point can also support organizations working to remediate an RCE vulnerability or have suffered an RCE attack. If you need help addressing an RCE or other cyberattack, contact Check Point support. If you feel you’ve been breached or compromised, you can contact our Incident Response teams. You do not have to be a Check Point customer to do so.