Salt Typhoon exploits Cisco devices in telco infrastructureSalt Typhoon exploits Cisco devices in telco infrastructure

The Chinese advanced persistent threat (APT) known as Salt Typhoon has targeted more than a thousand Cisco devices located within the infrastructures of telecommunications companies, internet service providers (ISPs), and universities.

Salt Typhoon (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its name last fall, with explosive reports about its targeting major US telecommunications providers like T-Mobile, AT&T, and Verizon. In the process, it managed to eavesdrop on US law enforcement wiretaps, and even the Democratic and Republican presidential campaigns.

Apparently, all that new media attention did little to slow it down. According to Recorded Future's Insikt Group, Salt Typhoon — which Insikt tracks as "RedMike" — attacked communications providers and research universities worldwide on six occasions in December and January. The group exploited old bugs in Cisco network devices to infiltrate its targets, and this may not actually be the first time it tried this tactic.

In a statement to Dark Reading, a Cisco spokesperson wrote that "We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. To date, we have not been able to validate these claims but continue to review available data." They added that "In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."

Salt Typhoon's Latest Attacks on Elecom, Unis

Back in October 2023, Cisco urged all of its customers to immediately pull all their routers, switches, etc., off the Web — at least those running the IOS XE operating system. An attacker had been actively exploiting a previously unknown vulnerability in the user interface (UI) which, without prior authorization, allowed them to create new local accounts with administrative privileges. The issue was assigned CVE-2023-20198, with the highest possible score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

Just a few days later, Cisco revealed a second IOS XE web UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the first vulnerability a step further, allowing attackers to run malicious commands on compromised devices using root privileges. It earned a "high" 7.2 CVSS score.

Evidently, Cisco's warnings were not heard loudly and widely enough, as Salt Typhoon followed this exact path to just recently compromise large organizations on six continents. With the complete power afforded by CVE-2023-20198 and CVE-2023-20273, the threat actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised devices with its own infrastructure. It used this otherwise legitimate feature to establish persistence and enable data exfiltration, with less risk of detection by firewalls or network monitoring software.

To read the complete article, visit Dark Reading.