Salt Typhoon’s Ongoing Campaign:
Latest Attacks on Cisco Devices

Despite significant media coverage and U.S. sanctions, the Chinese state-sponsored threat group Salt Typhoon (also known as RedMike) continues to actively target telecommunications providers globally through vulnerable Cisco network devices. Recent findings from Recorded Future’s Insikt Group reveal that between December 2024 and January 2025, the group has attempted to exploit over 1,000 Cisco devices worldwide, with successful compromises across multiple telecommunications networks.

 The Attack Campaign

Salt Typhoon’s latest campaign specifically targets internet-facing Cisco network devices running IOS XE software. The group has successfully compromised devices belonging to:

• A U.S.-based affiliate of a UK telecommunications provider
• A U.S. internet service provider and telecommunications company
• A South African telecommunications provider
• An Italian ISP
• A large Thailand telecommunications provider

The majority of targeted devices are concentrated in the U.S., South America, and India, though the campaign spans over 100 countries. Beyond telecommunications providers, the group has also targeted universities across multiple countries, potentially seeking access to research related to telecommunications, engineering, and technology.

 Vulnerabilities Exploited

The attack chain leverages two critical vulnerabilities in Cisco IOS XE software:

1. CVE-2023-20198: A privilege escalation vulnerability in the web UI feature that allows attackers to gain initial access and create a privileged user account
2. CVE-2023-20273: A secondary privilege escalation vulnerability that enables attackers to gain root user privileges

These vulnerabilities were among the most routinely exploited in 2023, according to a Five Eyes cyber advisory. Once compromised, Salt Typhoon configures Generic Routing Encapsulation (GRE) tunnels between the affected devices and their infrastructure, enabling persistent access and covert data exfiltration.

 Remediation Steps

Organizations should implement the following security measures immediately:

1. Patch Management:
   • Prioritize applying available security patches for internet-exposed network devices
   • Update to the latest version of Cisco IOS XE software that addresses these vulnerabilities
2. Access Control:
   • Avoid exposing administration interfaces directly to the internet
   • Disable unnecessary web UI exposure
   • Implement strict access controls for network devices
3. Monitoring:
   • Monitor for unauthorized network device configuration changes
   • Watch for unexpected GRE tunnel creation or traffic
   • Check system logs for suspicious user creation or login attempts
4. Specific Log Monitoring: Look for these specific log patterns:
   • %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http
   • %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user]

 How CinchOps Can Help

CinchOps offers comprehensive security solutions specifically designed to protect against sophisticated threats like Salt Typhoon. Our services include:

• Vulnerability Scanning: Automated detection of exposed network devices and known vulnerabilities
• Configuration Management: Secure baseline configurations and continuous monitoring for unauthorized changes
• 24/7 Security Monitoring: Real-time detection of suspicious activities and potential compromise indicators
• Incident Response: Rapid response capabilities to identify and remediate compromised devices
• Security Automation: Automated patch management and security updates to maintain robust defense posture

Organizations using CinchOps can benefit from our expertise in securing network infrastructure and protecting against nation-state threats. Our platform provides the visibility and control needed to identify vulnerable devices, implement security controls, and maintain a strong security posture against evolving threats.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Don’t wait until your network is compromised. Contact CinchOps today to learn how we can help secure your network infrastructure against sophisticated threats like Salt Typhoon.