- Security researchers from Recorded Future observe new Salt Typhoon activity
- The threat actor is still going after ISPs and universities in the west
- The group is abusing flaws in Cisco gear to hit new targets
Salt Typhoon, a Chinese state-sponsored threat actor best known for recently breaching almost a dozen telecom providers in the US, has struck again, hitting not just American organizations, but also those from the UK, South Africa, and elsewhere around the world.
The latest intrusions were spotted by cybersecurity researchers from Recorded Future, which said the group is targeting internet-exposed web interfaces of Cisco’s IOS software that powers different routers and switches. These devices have known vulnerabilities that the threat actors are actively exploiting to gain initial access, root privileges, and more.
More than 12,000 Cisco devices were found connected to the wider internet, and exposed to risk, Recorded Future further explained. However, Salt Typhoon is focusing on a “smaller subset” of telecoms and university networks.
Recent activity
This “smaller subset” of targets includes US internet service providers and telecommunications firms, a US affiliate of a UK telecom, telecoms in South Africa and Thailand, an internet service provider in Italy, different universities around the world (Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherland, Thailand, Vietnam, and the US).
All of this activity was spotted between December 2024, and January 2025, meaning the group is currently quite active.
“They’re super active, and they continue to be super active,” Levi Gundert, who leads Recorded Future’s research team known as Insikt Group, told Wired. “I think there’s just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.”
Cisco also chimed in, saying that the vulnerabilities Salt Typhoon is exploiting have all been fixed, and urged users to apply the available patches as soon as possible.
Unpatched n-day vulnerabilities are low-hanging fruit for cybercriminals, since they already have a working exploit and a proof-of-concept for malware infections, which makes their work relatively easy.
Via Wired
Leave a comment