{
	"id": "ffa0df7c-e187-47dd-a17a-ae3b7b34db58",
	"created_at": "2026-04-06T00:09:46.506928Z",
	"updated_at": "2026-04-10T03:20:22.928354Z",
	"deleted_at": null,
	"sha1_hash": "1e2368beda08e7af50425f21583323170b470d82",
	"title": "Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 133240,
	"plain_text": "Chinese Ministry of State Security-Affiliated Cyber Threat Actor\r\nActivity | CISA\r\nPublished: 2020-10-24 · Archived: 2026-04-05 12:45:09 UTC\r\nSummary\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State\r\nSecurity (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these\r\n—and other threat actors with varying degrees of skill—routinely using open-source information to plan and\r\nexecute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge\r\n(ATT\u0026CK®) and Pre-ATT\u0026CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This\r\nproduct was written by CISA with contributions by the Federal Bureau of Investigation (FBI).\r\nKey Takeaways\r\nChinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber\r\noperations.\r\nChinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly\r\nengage target networks.\r\nMaintaining a rigorous patching cycle continues to be the best defense against the most frequently used\r\nattacks.\r\nIf critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to\r\ndevelop custom malware and exploits or use previously unknown vulnerabilities to target a network.\r\nThis Advisory identifies some of the more common—yet most effective—TTPs employed by cyber threat\r\nactors, including Chinese MSS-affiliated cyber threat actors.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nThrough the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the\r\nnational risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People’s\r\nRepublic of China using commercially available information sources and open-source exploitation tools to target\r\nU.S. Government agency networks.\r\nAccording to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various\r\nindustries across the United States and other countries—including high-tech manufacturing; medical device, civil,\r\nand industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and\r\ndefense—in a campaign that lasted over ten years.[1] These hackers acted for both their own personal gain and the\r\nbenefit of the Chinese MSS.[2]\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 1 of 11\n\nAccording to the indictment,\r\nTo conceal the theft of information from victim networks and otherwise evade detection, the defendants typically\r\npackaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim\r\ndocuments’ names and extensions (e.g., from “.rar” to “.jpg”) and system timestamps, and concealed programs\r\nand documents at innocuous-seeming locations on victim networks and in victim networks’ “recycle bins.” The\r\ndefendants frequently returned to re-victimize companies, government entities, and organizations from which they\r\nhad previously stolen data, in some cases years after the initial successful data theft. In several instances,\r\nhowever, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders.\r\nThe continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries\r\ncan use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber\r\noperations are successful because misconfigurations and immature patch management programs allow actors to\r\nplan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust\r\nconfiguration and patch management programs would greatly increase network security. It would also reduce the\r\nspeed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research\r\nunknown vulnerabilities and develop custom exploitation tools.\r\nMITRE PRE-ATT\u0026CK® Framework for Analysis\r\nIn the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following\r\nPRE-ATT\u0026CK® Framework TTPs.\r\nTarget Selection and Technical Information Gathering\r\nTarget Selection [TA0014 ] is a critical part of cyber operations. While cyber threat actors’ motivations and\r\nintents are often unknown, they often make their selections based on the target network’s security posture. Threat\r\nactors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database,\r\nand the National Vulnerabilities Database (NVD).[3 ][4 ][5]\r\nShodan is an internet search engine that can be used to identify vulnerable devices connected to the\r\ninternet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which\r\nenables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute\r\nopportunistic attacks on susceptible targets.\r\nThe CVE database and the NVD contain detailed information about vulnerabilities in applications,\r\nappliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched.\r\nThese sources also provide risk assessments if any of the recorded vulnerabilities are successfully\r\nexploited.\r\nThese information sources have legitimate uses for network defense. CISA analysts are able to identify Federal\r\nGovernment systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the\r\nNVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network\r\nowners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 2 of 11\n\nWhile using these data sources, CISA analysts have observed a correlation between the public release of a\r\nvulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber\r\nthreat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify\r\ntargets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding\r\nof a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These\r\ninformation sources therefore contain invaluable information that can lead cyber threat actors to implement highly\r\neffective attacks.\r\nCISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information\r\nto enable cyber operations against Federal Government networks (Technical Information Gathering [TA0015 ]).\r\nTable 1: Technical information gathering techniques observed by CISA\r\nMITRE\r\nID\r\nName Observation\r\nT1245\r\nDetermine Approach/Attack\r\nVector\r\nThe threat actors narrowed the attack vectors to relatively\r\nrecent vulnerability disclosures with open-source exploits.\r\nT1247\r\nAcquire Open Source\r\nIntelligence (OSINT) Data Sets\r\nand Information\r\nCISA observed activity from network proxy service Internet\r\nProtocol (IP) addresses to three Federal Government\r\nwebpages. This activity appeared to enable information\r\ngathering activities.\r\nT1254 Conduct Active Scanning\r\nCISA analysts reviewed the network activity of known threat\r\nactor IP addresses and found evidence of reconnaissance\r\nactivity involving virtual security devices.\r\nTechnical Weakness Identification\r\nCISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of\r\ntheir emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the\r\nhands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to\r\ncompromise multiple organizations across many sectors. Organizations do not appear to be mitigating known\r\nvulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that\r\nhighlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to\r\n2019.[6]\r\nAdditionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12\r\nmonths.\r\nTable 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 3 of 11\n\nVulnerability Observations\r\nCVE-2020-5902: F5\r\nBig-IP Vulnerability\r\nCISA has conducted incident response engagements at Federal Government and\r\ncommercial entities where the threat actors exploited CVE-2020-5902. This is a\r\nvulnerability in F5’s Big-IP Traffic Management User Interface that allows cyber\r\nthreat actors to execute arbitrary system commands, create or delete files, disable\r\nservices, and/or execute Java code.[7]\r\nCVE-2019-19781:\r\nCitrix Virtual Private\r\nNetwork (VPN)\r\nAppliances\r\nCISA has observed the threat actors attempting to discover vulnerable Citrix VPN\r\nAppliances. CVE-2019-19781 enabled the actors to execute directory traversal\r\nattacks.[8]\r\nCVE-2019-11510:\r\nPulse Secure VPN\r\nServers\r\nCISA has conducted multiple incident response engagements at Federal Government\r\nand commercial entities where the threat actors exploited CVE-2019-11510—an\r\narbitrary file reading vulnerability affecting Pulse Secure VPN appliances—to gain\r\naccess to victim networks. Although Pulse Secure released patches for CVE-2019-\r\n11510 in April 2019, CISA observed incidents where compromised Active Directory\r\ncredentials were used months after the victim organization patched their VPN\r\nappliance.[9]\r\nCVE-2020-0688:\r\nMicrosoft Exchange\r\nServer\r\nCISA has observed the actors exploiting CVE-2020-0688 for remote code execution\r\nto enable email collection of targeted networks.\r\nAdditionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify\r\ntechnical weaknesses in Federal Government networks (Technical Weakness Identification [TA0018 ]). \r\nTable 3: Technical weakness identification techniques observed by CISA\r\nMITRE\r\nID\r\nName Observation\r\nT1288\r\nAnalyze Architecture\r\nand Configuration\r\nPosture\r\nCISA observed the cyber actors scanning a Federal Government\r\nagency for vulnerable web servers. CISA also observed the threat\r\nactors scanning for known vulnerable network appliance CVE-2019-\r\n11510.\r\nT1291\r\nResearch Relevant\r\nVulnerabilities\r\nCISA has observed the threat actors scanning and reconnaissance of\r\nFederal Government internet-facing systems shortly after the\r\ndisclosure of significant CVEs.\r\nBuild Capabilities \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 4 of 11\n\nCISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their\r\ncyber operations. These observations also provide evidence that threat actors can build and maintain relatively\r\nlow-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (Build\r\nCapabilities [TA0024 ]). CISA has observed Chinese MSS-affiliated actors using the build capabilities\r\nsummarized in table 4.\r\nTable 4: Build capabilities observed by CISA\r\nMITRE\r\nID\r\nName Observation\r\nT1352\r\nC2 Protocol\r\nDevelopment\r\nCISA observed beaconing from a Federal Government entity to the\r\nthreat actors’ C2 server.\r\nT1328 Buy Domain Name\r\nCISA has observed the use of domains purchased by the threat\r\nactors.\r\nT1329\r\nAcquire and / or use of\r\n3rd Party Infrastructure\r\nCISA has observed the threat actors using virtual private servers to\r\nconduct cyber operations.\r\nT1346 Obtain/Re-use Payloads\r\nCISA has observed the threat actors use and reuse existing\r\ncapabilities.\r\nT1349 Build or Acquire Exploit\r\nCISA has observed the threat actors using a variety of open-source\r\nand publicly available exploits and exploit code to compromise\r\nFederal Government networks.\r\nMITRE ATT\u0026CK Framework for Analysis\r\nCISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial\r\nand open-source tools to conduct their operations. For example, threat actors often leverage internet software\r\nrepositories such as GitHub and Exploit-DB.[10][11] Both repositories are commonly used for legitimate\r\ndevelopment and penetration testing and developing open-source code, but cyber threat actors can also use them\r\nto find code to enable nefarious actions.\r\nDuring incident response activities, CISA frequently observed Chinese government-affiliated actors using the\r\nopen-source tools outlined in table 5.\r\nTable 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors\r\nTool Observations\r\nCobalt\r\nStrike\r\nCISA has observed the threat actors using Cobalt Strike to target commercial and Federal\r\nGovernment networks. Cobalt Strike is a commercial penetration testing tool used to conduct\r\nred team operations. It contains a number of tools that complement the cyber threat actor’s\r\nexploitation efforts, such as a keystroke logger, file injection capability, and network services\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 5 of 11\n\nTool Observations\r\nscanners. CISA observed connections from a Federal Government agency to multiple IP\r\naddresses possibly hosting Cobalt Strike team servers.\r\nChina\r\nChopper\r\nWeb Shell\r\nCISA has observed the actors successfully deploying China Chopper against organizations’\r\nnetworks. This open-source tool can be downloaded from internet software repositories such\r\nGitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly\r\nused for web application attacks, and it is configured in a client/server relationship. China\r\nChopper contains security scanners and can be used to upload files and brute-force\r\npasswords.\r\nMimikatz\r\nCISA has observed the actors using Mimikatz during their operations. This open-source tool\r\nis used to capture account credentials and perform privilege escalation with pass-the-hash\r\nattacks that allow an attacker to pass captured password hashes and authenticate to network\r\ndevices.[12 ]\r\nThe following sections list the ATT\u0026CK Framework TTPs routinely employed by Chinese government-affiliated\r\nactors to conduct cyber operations as observed by CISA analysts.\r\nInitial Access \r\nIn the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded\r\nlinks to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber\r\noperations.\r\nCISA has observed the threat actors using the Initial Access [TA0001 ] techniques identified in table 6.\r\nTable 6: Initial access techniques observed by CISA\r\nMITRE ID Name Observation\r\nT1204.001 User Execution:\r\nMalicious Link\r\nCISA has observed indications that users have clicked malicious\r\nlinks embedded in spearphishing emails that the threat actors sent\r\nT1566.002 Phishing:\r\nSpearphishing Link\r\nCISA analyzed network activity of a Federal Government entity and\r\nconcluded that the threat actors sent a malicious email weaponized\r\nwith links.\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nCISA has observed the actors leveraging CVE-2019-19781 to\r\ncompromise Citrix Application Delivery Controllers.\r\nCyber threat actors can continue to successfully launch these types of low-complexity attacks—as long as\r\nmisconfigurations in operational environments and immature patch management programs remain in place—by\r\ntaking advantage of common vulnerabilities and using readily available exploits and information.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 6 of 11\n\nExecution \r\nCISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal\r\nGovernment networks. This beaconing is a result of cyber threat actors successfully completing cyber operations\r\nthat are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in\r\nthis document.\r\nCISA has observed Chinese MSS-affiliated actors using the Execution [TA0002 ] technique identified in table 7.\r\nTable 7: Execution technique observed by CISA\r\nMITRE\r\nID\r\nName Observation\r\nT1072\r\nSoftware\r\nDeployment Tools\r\nCISA observed activity from a Federal Government IP address beaconing\r\nout to the threat actors’ C2 server, which is usually an indication of\r\ncompromise.\r\nCredential Access \r\nCyber threat actors also continue to identify large repositories of credentials that are available on the internet to\r\nenable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent\r\nvulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to\r\naccomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to\r\nsuccessfully carry out this kind of opportunistic attack.\r\nCISA has observed Chinese MSS-affiliated actors using the Credential Access [TA0006 ] techniques highlighted\r\nin table 8.\r\nTable 8: Credential access techniques observed by CISA\r\nMITRE\r\nID\r\nName Observation\r\nT1003.001\r\nOperating System (OS)\r\nCredential Dumping: Local\r\nSecurity Authority Subsystem\r\nService (LSASS) Memory\r\nCISA observed the threat actors using Mimikatz in\r\nconjunction with coin miner protocols and software. The\r\nactors used Mimikatz to dump credentials from the OS\r\nusing a variety of capabilities resident within the tool.\r\nT1110.004\r\nBrute Force: Credential Stuffing\r\nCISA observed what was likely a brute-force attack of a\r\nRemote Desktop Protocol on a public-facing server.\r\nDiscovery \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 7 of 11\n\nAs with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable\r\n—there are a multitude of open-source scanning and reconnaissance tools available to them to use for this\r\npurpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery\r\ntechniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the\r\ndiscovery technique highlighted in table 9 (Discovery [TA0007 ]).\r\nTable 9: Discovery technique observed by CISA\r\nMITRE\r\nID\r\nName Observation\r\nT1046\r\nNetwork Service\r\nScanning\r\nCISA has observed suspicious network scanning activity for various\r\nports at Federal Government entities.\r\nCollection \r\nWithin weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of\r\nChinese MSS-affiliated threat actors attempting to exploit this vulnerability using the Collection [TA0009 ]\r\ntechnique listed in table 10.\r\nTable 10: Collection technique observed by CISA\r\nMITRE\r\nID\r\nName Observation\r\nT1114\r\nEmail\r\nCollection\r\nCISA observed the actors targeting CVE-2020-0688 to collect emails from the\r\nexchange servers found in Federal Government environments.\r\nCommand and Control \r\nCISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber\r\noperations while remaining anonymous. These proxy tools may be commercially available infrastructure as a\r\nservice (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet.\r\nFor example, “The Onion Router” (Tor) is often used by cyber threat actors for anonymity and C2. Actor’s\r\ncarefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity\r\nand enabled by commercially available tools, yet they are highly effective and often reliant upon existing\r\nvulnerabilities and readily available exploits.\r\nCISA has observed Chinese MSS-affiliated actors using the Command and Control [TA0011 ] techniques listed\r\nin table 11.\r\nTable 11: Command and control techniques observed by CISA\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 8 of 11\n\nMITRE ID Name Observation\r\nT1090.002\r\nProxy: External Proxy\r\nCISA observed activity from a network proxy tool to 221\r\nunique Federal Government agency IP addresses.\r\nT1090.003\r\nProxy: Multi-hop Proxy\r\nCISA observed activity from Tor that has resulted in confirmed\r\ncompromises of internet-facing Federal Government agency\r\nsystems.\r\nT1573.002 Encrypted Channel:\r\nAsymmetric Cryptography\r\nCISA observed activity from Tor that has resulted in confirmed\r\ncompromises of internet-facing Federal Government agency\r\nsystems.\r\nMitigations\r\nCISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source\r\nresources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct\r\noperations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal,\r\nterritorial government networks, possibly resulting in loss of critical data or personally identifiable information.\r\nCISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities\r\nroutinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in\r\nthis report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see CISA\r\nAlert: Top 10 Routinely Exploited Vulnerabilities.\r\nTable 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors\r\nVulnerability Vulnerable Products Patch Information\r\nCVE-2020-\r\n5902\r\nBig-IP devices (LTM, AAM,\r\nAdvanced WAF, AFM, Analytics,\r\nAPM, ASM, DDHD, DNS, FPS,\r\nGTM, Link Controller, PEM, SSLO,\r\nCGNAT)\r\nF5 Security Advisory: K52145254:\r\nTMUI RCE vulnerability CVE-2020-5902\r\nCVE-2019-\r\n19781 Citrix Application Delivery\r\nController\r\nCitrix Gateway\r\nCitrix SDWAN WANOP\r\nCitrix blog post: firmware updates\r\nfor Citrix ADC and Citrix Gateway\r\nversions 11.1 and 12.0\r\nCitrix blog post: security updates\r\nfor Citrix SD-WAN WANOP\r\nrelease 10.2.6 and 11.0.3\r\nCitrix blog post: firmware updates\r\nfor Citrix ADC and Citrix Gateway\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 9 of 11\n\nVulnerability Vulnerable Products Patch Information\r\nversions 12.1 and 13.0\r\nCitrix blog post: firmware updates\r\nfor Citrix ADC and Citrix Gateway\r\nversion 10.5\r\nCVE-2019-\r\n11510\r\nPulse Connect Secure 9.0R1 -\r\n9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 -\r\n8.2R12, 8.1R1 - 8.1R15\r\nPulse Policy Secure 9.0R1 - 9.0R3.1,\r\n5.4R1 - 5.4R7, 5.3R1 - 5.3R12,\r\n5.2R1 - 5.2R12, 5.1R1 - 5.1R15\r\nPulse Secure Out-of-Cycle\r\nAdvisory: Multiple vulnerabilities\r\nresolved in Pulse Connect Secure /\r\nPulse Policy Secure 9.0RX\r\nCVE-2020-\r\n0688\r\nMicrosoft Exchange Servers\r\nMicrosoft Security Advisory: CVE-2020-0688: Microsoft Exchange\r\nValidation Key Remote Code\r\nExecution Vulnerability\r\nCISA and the FBI also recommend that organizations routinely audit their configuration and patch management\r\nprograms to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch\r\nmanagement program will hamper sophisticated cyber threat actors’ operations and protect organizations’\r\nresources and information systems. \r\nContact Information\r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)\r\n292-3937 or by e-mail at CyWatch@fbi.gov . When available, please include the following information\r\nregarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of\r\nequipment used for the activity; the name of the submitting company or organization; and a designated point of\r\ncontact. To request incident response resources or technical assistance related to these threats, contact CISA at\r\ncentral@cisa.dhs.gov .\r\nReferences\r\n[3] Shodan\r\n[4] MITRE Common Vulnerabilities and Exposures List\r\n[6] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities\r\n[7] CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 10 of 11\n\n[8] CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781\r\n[9] CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching\r\n[10] GitHub\r\n[11] Exploit-DB\r\n[12] What is Mimikatz: The Beginner's Guide (VARONIS)\r\nRevisions\r\nSeptember 14, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-258a\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa20-258a"
	],
	"report_names": [
		"aa20-258a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434186,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e2368beda08e7af50425f21583323170b470d82.pdf",
		"text": "https://archive.orkl.eu/1e2368beda08e7af50425f21583323170b470d82.txt",
		"img": "https://archive.orkl.eu/1e2368beda08e7af50425f21583323170b470d82.jpg"
	}
}