In a recent report on Recorded Future from security researchers at Insikt Group, it was noted that from late 2024 to early 2025, a global attack campaign targeted network devices that had not received security patches from Cisco. The victims of this attack campaign were mostly telecommunications providers based in the United States, the United Kingdom, and South Africa. The security researchers also believe that this attack campaign was carried out by the hacker group RedMike, also known as Salt Typhoon, and warned of expanded exploitation targeting universities in Vietnam, Thailand, Bangladesh, Malaysia, and more.

Salt Typhoon

Salt Typhoon, also known by names like RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is believed to be operated by China's Ministry of State Security (MSS). The group has conducted large-scale cyber espionage campaigns, particularly targeting the United States. Their activities focus on counterintelligence targets and stealing critical intellectual property from corporations. Salt Typhoon has infiltrated targets in dozens of countries across most continents.

Salt Typhoon primarily focuses on exploiting vulnerabilities in Cisco devices, allowing them to infiltrate and control critical network equipment. The group also uses anti-analysis and anti-forensic techniques to avoid detection.

In late 2024, the group made headlines in the security community by infiltrating the systems of nine U.S. telecommunications companies, including Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream. This attack targeted the core components of the U.S. broadband network, particularly routers manufactured by Cisco. The hackers accessed metadata of calls and text messages of over a million users, mainly in the Washington D.C. area, and in some cases, obtained recordings of calls from important individuals.

Figure 1: Salt Typhoon's attack scope targeting Cisco devices

In the latest report, Salt Typhoon launched attack campaigns targeting global telecommunications providers in the United States, the UK, South Africa, and India by exploiting vulnerabilities in Cisco devices. Additionally, security researchers have warned that several universities in Vietnam (Ho Chi Minh City University of Medicine and Pharmacy), Thailand, Bangladesh, and others have also been infiltrated by Salt Typhoon, resulting in the theft of sensitive data.

Technical Analysis

Salt Typhoon exploited two critical vulnerabilities CVE-2023-20198 and CVE-2023-20273 in the Cisco IOS XE Web UI, allowing attackers to escalate privileges, change device configurations, and add GRE (Generic Routing Encapsulation) tunnels for continuous access and theft of sensitive data.

Figure 2: Salt Typhoon's infrastructure for exploiting Cisco devices

CVE-2023-20198 is the initial step of the attack, successfully exploiting the vulnerability to give hackers initial access to unpatched devices, allowing them to execute the privilege 15 command to create local user accounts and passwords on the device. By further exploiting the CVE-2023-273 vulnerability, hackers can escalate the privileges of the newly created accounts to root on the system.

The stolen data is sent back to the group through GRE tunnels, a protocol that encapsulates different types of network traffic into a point-to-point connection between two network devices, used to create virtual private networks (VPNs) or to connect two remote networks through an intermediary network like the Internet. GRE tunnels are widely used by hacker groups because they maintain sustainability by establishing secret communication channels that bypass firewalls and intrusion detection systems. These tunnels also facilitate the stealthy theft of data by encapsulating stolen data in GRE packets, which can evade network monitoring.

Mitigations

Security experts from Recorded Future have also made recommendations for users in their report, highlighting the urgency of prioritizing the application of security patches and available updates for network devices exposed to the Internet. Additionally, users can take several other recommended actions such as:

Avoid exposing management interfaces or unnecessary services on devices directly connected to the Internet, especially devices that are end-of-life.
Monitor changes in network device configurations.
Track network traffic to detect protocols not deployed in the network, such as GRE.
Use advanced query features in Recorded Future to monitor technologies being exploited in the system and set up alerts when any assets are at risk.