Chinese salt typhoon spies are still hacking telecoms. I’m using a Cisco router now

When a group of Chinese hackers known as the Salt Era was revealed last fall It has penetrated deeply into major US telecommunications companies.– The hacking campaign violated more than nine of the mobile carriers, which were treated as four alarm fires by the US government, and accessed American texts and phone calls. But even after the famous exposure of those hackers, they continued to fuss about invading communications networks around the world, including many in the US.

Researchers at the cybersecurity company recorded Future on Wednesday night. The report revealed that Salt Timson breached five communications and internet service providers around the world, as well as more than a dozen universities between December and January from Utah to Vietnam. According to analysts at the company, Telecom includes US internet service providers and telecom companies and another US-based subsidiary of UK telecommunications, but it is said that the victims will be wired. I refused.

“They are very active and they continue to be very active,” says Levi Gundert, who leads the recorded Future research team known as the Insikt group. “I think there’s a general underestimation of how aggressive they are to turn their communications network into Swiss cheese.”

To carry out this latest intrusion campaign, Salt Typhoon recorded future tracks with its own name, Redmike, rather than the Typhoon handle created by Microsoft, but Cisco’s iOS software running on Networking It targets web interfaces exposed to the Internet. Giant router and switch. Hackers exploited two different vulnerabilities in the code on these devices. One gives initial access, the other provides route privileges, giving hackers full control over often powerful devices that allow them to access the victim’s network.

“Whenever it’s embedded in an infrastructure communications network like a router, the kingdom’s key is what you can access, observe and discharge,” says Gandalt.

Recorded Future says it discovered over 12,000 Cisco devices that had their web interface published online, and hackers targeted more than 1,000 of these devices installed on networks around the world. In the end, they appear to be focusing on a small subset of communications and university networks that Cisco devices will work. For the targets of choice, Salt Typhoon configured a hacked Cisco device to connect to a hacker’s own command and control server via a general routing encapsulation or GRE tunnel. Their access and stolen data.

When Wired contacted Cisco for comment, the company Security Advisory In 2023, we published a vulnerability in the iOS software web interface. “We continue to urge our customers to follow the recommendations outlined in our advisory and upgrade to a permanent software release that is available,” the spokesperson wrote in a statement.

Hacking network appliances as entry points for target victims – oftentimes, standardized typhoons and other Chinese hacking groups by leveraging known vulnerabilities that have failed patches by device owners. This has become a very good operation procedure. This is because these network devices do not have much of the security control and monitoring software that has been extended to traditional computing devices such as servers and PCs. A sophisticated Chinese spy team has recorded future notes in a report that for at least five years, these vulnerable network appliances have been targeting as major intrusion technologies.