Chinese Cybergangs: The Most-Attacked Vulnerabilities

US cyber security agencies provide a list of the top vulnerabilities currently being attacked by Chinese cyber gangs.

(Image: Anterovium/

In a joint report, the US authorities National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have compiled a list of the security vulnerabilities most frequently attacked by Chinese state cybergangs since 2020. State-directed cyber actors continue to target known vulnerabilities in US and allied networks, as well as software and hardware manufacturers, to steal intellectual property and gain access to sensitive networks. The NSA, CISA, and FBI are urging governments and private sector organizations to take available and known countermeasures.

Authorities continue to rank China’s state-sponsored cyber activities as one of the greatest and most dynamic threats to the US government and civilian networks. Chinese cyber actors are targeting government and critical infrastructure networks with an increasing number of new and adapted techniques, some of which pose a significant risk to IT sector organizations including telecom providers, military-industrial complex organizations, and other critical infrastructure organizations represent.

The state-controlled cybergangs exploit known vulnerabilities and use publicly available tools, among other things, to attack interesting networks. They attack the security gaps and nest themselves in compromised networks.

In descending order, Chinese cybercriminals target the following vulnerabilities the most:

OffererCVEvulnerability type
Apache Log4jCVE-2021-44228Remote code execution
Pulse Connect SecureCVE-2019-11510Arbitrary File Read
GitLab CE/EECVE-2021-22205Remote code execution
AtlasianCVE-2022-26134Remote code execution
MicrosoftExchangeCVE-2021-26855Remote code execution
F5 Big IPCVE-2020-5902Remote code execution
VMware vCenter ServerCVE-2021-22005Arbitrary file upload
Citrix ADCCVE-2019-19781Path Traversal
Cisco HyperflexCVE-2021-1497Command Line Execution
Buffalo ESCCVE-2021-20090Relative Path Traversal
Atlassian Confluence Server and Data CenterCVE-2021-26084Remote code execution
Hikvision web serverCVE-2021-36260command injection
Sitecore XPCVE-2021-42237Remote code execution
F5 Big IPCVE-2022-1388Remote code execution
ApacheCVE-2022-24112Authentication bypass by spoofing
ZOHOCVE-2021-40539Remote code execution
MicrosoftCVE-2021-26857Remote code execution
MicrosoftCVE-2021-26858Remote code execution
MicrosoftCVE-2021-27065Remote code execution
Apache HTTP ServerCVE-2021-41773Path Traversal

The attackers rely on virtual private networks (VPNs) to conceal their activities. They primarily direct their attacks against web applications in order to gain initial access. Many of the CVEs listed in the table allow malicious actors to stealthily gain unauthorized access to sensitive networks. They then usually try to nest and spread further in the network and other connected networks.

At the end of the article, the US authorities have listed the individual vulnerabilities and possible countermeasures. IT managers should check the list once and see whether there are still services lurking in their own network that need to be secured. Most recently, in April of this year, cyber security authorities created an overview of vulnerabilities that were generally most frequently misused for attacks in the past year. Administrators should also check this list once.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s