Salt Typhoon continue to turn unpatched Cisco devices into their own personal backdoors into global telecom networks.
The persistent exploitation of unpatched Cisco devices by the Chinese state-sponsored group Salt Typhoon serves as a stark reminder of how basic vulnerability management failures can lead to devastating security breaches with far-reaching implications for national security.
Recent findings from Recorded Future’s Insikt Group reveal that despite public exposure and sanctions, the group continues to successfully compromise telecommunications providers and universities worldwide through known vulnerabilities that should have been patched months ago.
The Scale of Exposure
The scope of this ongoing campaign is particularly concerning. Insikt Group’s scans identified over 12,000 Cisco devices with exposed web interfaces, with attackers targeting approximately 1,000 of these systems. Half of the vulnerable devices were concentrated in the U.S., South America, and India, primarily within telecommunications infrastructure. The compromised organizations include major telecommunications providers in the United States, South Africa, Italy, and Thailand, as well as 13 universities across multiple countries.
The Technical Foundation of the Breach
At the heart of this campaign lies a critical vulnerability in Cisco’s IOS XE software (CVE-2023-20198) and an associated privilege escalation flaw (CVE-2023-20273). Both vulnerabilities were patched by Cisco in October 2023, yet many organizations have failed to implement these critical updates. This delay in patching has provided Salt Typhoon with an extended window of opportunity to establish persistent access to vital telecommunications infrastructure.
The attackers’ methodology is particularly sophisticated in its simplicity. After exploiting these vulnerabilities, they create privileged user accounts and configure Generic Routing Encapsulation (GRE) tunnels, effectively establishing covert communication channels that bypass basic security controls. This approach allows them to maintain long-term access while evading detection, demonstrating how unpatched vulnerabilities can be leveraged to create persistent threats.
Business Impact and National Security Implications
The business impact of Salt Typhoon extends far beyond immediate technical compromises. In the United States, the attackers have focused on intercepting high-level voice communications, including those of government officials and political campaign leaders. They’ve even managed to penetrate court-authorized wiretap systems, potentially compromising law enforcement operations and national security investigations.
For telecommunications providers, the breach presents multiple levels of risk:
- Regulatory Compliance: Exposure of customer metadata, particularly around Washington D.C., raises serious privacy concerns and potential regulatory violations
- Operational Integrity: The compromise of network infrastructure threatens service reliability and customer trust
- Intellectual Property: For affected universities, the theft of research data in engineering and telecommunications could have long-term competitive implications
Prevention Through Proactive Vulnerability Management
This Salt Typhoon incident highlights several critical lessons for organizations:
- The necessity of timely patch management cannot be overstated. The vulnerabilities being exploited were patched months ago, making these breaches entirely preventable through proper vulnerability management practices. Organizations must implement systematic approaches to identifying, prioritizing, and remediating vulnerabilities across their infrastructure.
- Security teams need to focus particularly on internet-exposed management interfaces. The attack surface could have been significantly reduced by following basic security principles of limiting administrative interface exposure and implementing proper access controls.
Continuous monitoring for emerging vulnerabilities, particularly in internet facing devices and internal network infrastructures, is essential for tackling compromise attempts early in the attack chain.
XRATOR’s Role in Prevention
Given the complexity of modern network infrastructure and the challenges of maintaining comprehensive vulnerability management, organizations need robust solutions to prevent similar breaches. XRATOR’s business risk-driven vulnerability management platform addresses these challenges by providing automated infrastructure discovery, vulnerability detection, intelligent prioritization based on actual risk exposure, and streamlined patch management workflows.
By correlating vulnerability data with actual threat intelligence and business context, XRATOR enables organizations to focus their limited resources on the most critical security gaps, ensuring that vulnerabilities like those exploited by Salt Typhoon are patched before they can be weaponized against the organization. This countinuous threat exposure management (CTEM) approach to vulnerability management is essential for preventing the kind of widespread compromise we’re seeing in this ongoing campaign.
