Salt Typhoon’s hacking spree has continued this year as the China-backed threat group recently compromised five more telecom providers across the globe, including two U.S.-based companies.
According to research from Recorded Future’s Insikt Group published Thursday, Salt Typhoon (which Recorded Future calls “RedMike”) conducted a campaign between December 2024 and January 2025 that targeted unpatched Cisco edge devices. Insikt Group researchers observed the threat group attempting to compromise more than 1,000 such devices across the globe in the two-month span.
Specifically, Salt Typhoon for initial access to its targets exploited CVE-2023-20198, a privilege escalation vulnerability in the web user interface of Cisco IOS XE software, and weaponized CVE-2023-20273, a related privilege escalation flaw, to gain root access. Both vulnerabilities were disclosed in October 2023 as zero-day flaws that, at the time, were under widespread exploitation and had compromised thousands of devices.
Insikt Group researchers discovered infiltrated Cisco devices at five organizations, including a U.S. telecom and internet service provider and a U.S.-based affiliate of a British telecom provider. Researchers also observed Salt Typhoon targeting Cisco devices at universities across the globe, including UCLA, Loyola Marymount University, Utah Tech University and California State University.
“RedMike possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like UCLA and TU Delft,” the report said.
Insikt Group found that more than half of the targeted Cisco devices were located in the U.S., South America and India, and also identified more than 12,000 Cisco devices that had web user interfaces exposed to the internet. The researchers warned that state-sponsored Chinese threat groups have “shifted heavily” toward exploiting vulnerable, public-facing network devices over the last five years.
Source: Cybersecurity News