| The Cyber Security Hub™ |
Exploited Cisco Vulnerabilities
Insikt Group researchers revealed that the Chinese hackers exploited two Cisco vulnerabilities:
CVE-2023-20198
CVE-2023-20273
Details of CVE-2023-20198
In October 2023, Cisco disclosed the zero-day vulnerability CVE-2023-20198 with a CVSS score of 10. This flaw, found in IOS XE Software, was actively exploited in attacks. Cisco discovered the vulnerability while resolving multiple Technical Assistance Center (TAC) support cases.
An attacker could leverage this flaw to gain administrator privileges and take control of vulnerable routers. The advisory stated that exploitation allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.
The flaw affects both physical and virtual devices with the Web User Interface (Web UI) feature enabled and the HTTP or HTTPS Server feature in use.
Details of CVE-2023-20273
In October 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-20273 to its Known Exploited Vulnerabilities catalog.
This vulnerability is linked to an unspecified issue in the web user interface. An attacker can chain this flaw with CVE-2023-20198 to elevate privileges to root and write implants to the file system. During the investigation, Cisco found attacks on systems patched against CVE-2023-20198, suggesting a second zero-day flaw was also being exploited.
Global Impact on Telecom Networks
Insikt Group reported ongoing attacks breaching multiple telecom networks, including:
Internet Service Providers (ISPs) in the U.S. and Italy
A U.K.-affiliated U.S. telecom
Providers in South Africa and Thailand
Their analysis revealed that over 12,000 Cisco network devices had exposed web UIs. Though more than 1,000 devices were targeted, this number represented only 8% of exposed devices, indicating a focused campaign aimed at telecommunications providers.
Salt Typhoon Cisco device targeting | Source: Recorded Future
Tactics Used by Salt Typhoon
The Salt Typhoon group, also known as FamousSparrow and GhostEmperor, used Generic Routing Encapsulation (GRE) tunnels on compromised Cisco devices to:
Maintain persistence
Evade detection
Stealthily exfiltrate data by encapsulating it within GRE packets
In mid-December 2024, the group was also observed conducting reconnaissance against infrastructure operated by Myanmar-based telecom provider Mytel.
Security Recommendations
Insikt Group recommends:
Patching Cisco IOS XE devices promptly
Limiting exposure of admin interfaces and non-essential services to the Internet
Salt Typhoon’s Broader Campaign
The Salt Typhoon APT group has been active since at least 2019, targeting government entities and telecom companies worldwide.
Expanding Reach in the U.S.
In January, The Wall Street Journal reported that the group compromised more U.S. telecoms than previously known, including:
Charter Communications
Windstream
The attackers exploited vulnerabilities in network devices from major vendors, including Cisco and Fortinet.
By the end of December 2024, a White House official confirmed that Salt Typhoon breached a ninth U.S. telecom as part of a cyberespionage campaign targeting global telco firms.
White House and U.S. Government Response
White House Cyber Adviser Anne Neuberger revealed that the latest breach was discovered after the Biden administration released guidance to detect Salt Typhoon’s activity.
In early December 2024, Neuberger confirmed that the group had breached telecom companies in dozens of countries, focusing on obtaining extensive metadata and specific communications, particularly from government and political figures.
In December, US carriers AT&T and Verizon reported they had secured their networks after cyberespionage attempts by the China-linked Salt Typhoon group.
Despite the scale of the attack, Neuberger stated, “At this time, we don’t believe any classified communications have been compromised.”
Global Advisory and Defensive Measures
In December 2024, International cyber agencies issued a joint advisory warning of People’s Republic of China (PRC)-linked cyber espionage targeting global telecom networks.
The agencies released: Enhanced Visibility and Hardening Guidance for Communications Infrastructure
This guide highlights this threat and provides network engineers and defenders of communications infrastructure with best practices to strengthen their visibility and harden their network devices against successful exploitation carried out by PRC-affiliated and other malicious cyber actors
Authoring agencies include:
Cybersecurity and Infrastructure Security Agency (CISA)
National Security Agency (NSA)
Federal Bureau of Investigation (FBI)
Australian Signals Directorate (ASD)
Canadian Cyber Security Centre (CCCS)
New Zealand’s National Cyber Security Centre (NCSC-NZ)
China’s Denial of Involvement
The Government of Beijing has so far denied responsibility for the hacking campaign.
Download the complete report by Recorded Future’s Insikt Group here
https://www.linkedin.com/pulse/warning-peoples-republic-china-prc-breach-global-xj65e/