The Download
Chinese hacking group Salt Typhoon has been actively targeting U.S. telecommunications providers by exploiting unpatched vulnerabilities in Cisco IOS XE devices. Notably, they have leveraged the CVE-2023-20198 privilege escalation and CVE-2023-20273 Web UI command injection flaws to gain unauthorized access to network infrastructure. Once these vulnerabilities are exploited, attackers can establish persistent access through reconfigured devices, often using generic routing encapsulation (GRE) tunnels to communicate with command-and-control servers. This method allows them to intercept communications, exfiltrate sensitive data, and potentially disrupt critical services. The campaign has affected multiple U.S. ISPs and telecom affiliates, as well as providers in South Africa, Italy, and Thailand.
What You Can Do
To mitigate these threats, IT administrators should immediately assess their network devices for exposure to the identified vulnerabilities. Ensuring that all Cisco devices are updated with the latest firmware and security patches is paramount. Additionally, administrators should disable unnecessary services, restrict web UI access to trusted IP addresses, and implement robust monitoring to detect unusual activity. Regular security audits and network segmentation can further reduce the attack surface, limiting the potential impact of any breaches. Proactive measures and adherence to security best practices are essential to protect against such sophisticated cyber-espionage campaigns.
Use ThreatMate to proactively scan all your network attack surfaces for vulnerabilities adversaries exploit. Sign up for a demo today!
To Learn More: