Iniskt Group advises network admins operating Internet-exposed Cisco IOS XE network devices to apply available security patches as soon as possible and avoid exposing administration interfaces or non-essential services directly to the Internet. These ongoing attacks have already resulted in network breaches at multiple telecommunications providers, including a U.S. internet service provider (ISP), a U.S.-based affiliate of a U.K. telecommunications provider, a South African telecom provider, an Italian ISP, and a large Thailand telecommunications provider. China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices. Recorded Future's Insikt Group threat research division states that the Chinese hacking group (tracked Salt Typhoon and RedMike) has exploited the CVE-2023-20198 privilege escalation and CVE-2023-20273 Web UI command injection vulnerabilities. The Salt Typhoon Chinese cyber-espionage group (also tracked as FamousSparrow, Ghost Emperor, Earth Estries, and UNC2286) has been breaching telecom companies and government entities since at least 2019. The threat researchers said they've spotted compromised and reconfigured Cisco devices on their networks, communicating with Salt Typhoon-controlled servers via generic routing encapsulation (GRE) tunnels for persistent access. Between December 2024 and January 2025, Salt Typhoon targeted over 1,000 Cisco network devices, more than half from the U.S., South America, and India. "Using internet scanning data, Insikt Group identified more than 12,000 Cisco network devices with their web UIs exposed to the internet," Insikt Group said. Two years ago, the two vulnerabilities were exploited in zero-day attacks that compromised over 50,000 Cisco IOS XE devices, allowing the deployment of backdoor malware via rogue privileged accounts. In these attacks, the Chinese state hackers breached multiple U.S. telecom carriers (including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream) and telecom companies in dozens of other countries.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 14 Feb 2025 13:00:03 +0000