The Chinese language superior persistent menace (APT) referred to as Salt Hurricane has focused greater than a thousand Cisco units positioned inside the infrastructures of telecommunications firms, web service suppliers (ISPs), and universities.
Salt Hurricane (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its identify final fall, with explosive stories about its concentrating on main US telecommunications suppliers like T-Cellular, AT&T, and Verizon. Within the course of, it managed to snoop on US regulation enforcement wiretaps, and even the Democratic and Republican presidential campaigns.
Apparently, all that new media consideration did little to sluggish it down. In accordance with Recorded Future’s Insikt Group, Salt Hurricane — which Insikt tracks as “RedMike” — attacked communications suppliers and analysis universities worldwide on six events in December and January. The group exploited previous bugs in Cisco community units to infiltrate its targets, and this will likely not truly be the primary time it tried this tactic.
In a press release to Darkish Studying, a Cisco spokesperson wrote that “We’re conscious of latest stories that declare Salt Hurricane menace actors are exploiting two recognized vulnerabilities in Cisco units referring to IOS XE. Thus far, we’ve not been capable of validate these claims however proceed to evaluate obtainable knowledge.” They added that “In 2023, we issued a safety advisory disclosing these vulnerabilities together with steering for patrons to urgently apply the obtainable software program repair. We strongly advise clients to patch recognized vulnerabilities which were disclosed and observe trade greatest practices for securing administration protocols.”
Salt Hurricane’s Newest Assaults on Elecom, Unis
Again in October 2023, Cisco urged all of its clients to instantly pull all their routers, switches, and so forth., off the Net — at the very least these operating the IOS XE working system. An attacker had been actively exploiting a beforehand unknown vulnerability within the person interface (UI) which, with out prior authorization, allowed them to create new native accounts with administrative privileges. The problem was assigned CVE-2023-20198, with the best potential rating of 10 out of 10 on the Frequent Vulnerability Scoring System (CVSS).
Just some days later, Cisco revealed a second IOS XE internet UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the primary vulnerability a step additional, permitting attackers to run malicious instructions on compromised units utilizing root privileges. It earned a “excessive” 7.2 CVSS rating.
Evidently, Cisco’s warnings weren’t heard loudly and broadly sufficient, as Salt Hurricane adopted this actual path to only just lately compromise massive organizations on six continents. With the whole energy afforded by CVE-2023-20198 and CVE-2023-20273, the menace actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised units with its personal infrastructure. It used this in any other case legit function to determine persistence and allow knowledge exfiltration, with much less danger of detection by firewalls or community monitoring software program.
Although Insikt tracks this marketing campaign solely again by December, it is potential that this is not the primary time Salt Hurricane has used Cisco units to focus on main telcos.
“Little or no element is at present publicly obtainable concerning the Salt Hurricane-linked intrusions in opposition to US telecommunications suppliers uncovered in September 2024, together with whether or not or not Cisco units have been concerned,” explains Jon Condra, senior director of strategic intelligence at Recorded Future. “Notably, CISA in December 2024 put out defensive steering for communications suppliers that suggests that Cisco units have been exploited, linked to the Salt Hurricane intrusions, with out offering specifics. We do know that Cisco units have been focused by Chinese language APT teams on many events previously, as with quite a lot of different edge units.”
Salt Hurricane’s Newest Cyberattack Victims
Organizations affected by this marketing campaign embrace a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, certainly one of Myanmar’s premier telcos.
“Salt Hurricane targets telecommunications techniques that are a few of the most complex Frankenstein-esque examples of architectures that exist,” explains Zach Edwards, senior menace researcher for Silent Push. That even previous vulnerabilities may nonetheless be exploited in opposition to telcos, he suggests, is not such a thriller: “They possess some applied sciences in sure techniques courting again a long time that, in lots of instances, can’t be changed, and with different modernized points that stay susceptible to stylish assaults.”
And moreover telcos and ISPs themselves, Salt Hurricane additionally attacked 13 universities, together with the College of California, Los Angeles (UCLA) and three extra US establishments, plus extra in Argentina, Indonesia, the Netherlands, and so forth. As Insikt famous, many of those universities carry out vital analysis in telecommunications, engineering, and different areas of know-how.
General, whereas greater than 100 nations have been touched by this marketing campaign, greater than half of the units compromised have been in South America, India, and, most frequently, the US.
Recorded Future’s Condra emphasizes that whereas prior Salt Hurricane protection has been US-centric, he says, “The group’s concentrating on extends far past US borders and is actually international in scope. This speaks to strategic Chinese language intelligence necessities to realize entry to delicate networks for the needs of espionage, gaining the flexibility to disrupt or manipulate knowledge flows, or pre-position themselves for disruptive or damaging motion within the occasion of an escalation of geopolitical tensions or kinetic battle.”
