Summary:
Recorded Future’s Insikt Group has uncovered details of a campaign exploiting unpatched internet-facing Cisco network devices, primarily associated with global telecommunications providers and a handful of universities. The campaign which was observed between December 2024 and January 2025, has been attributed to RedMike, aka Salt Typhoon, a Chinese state-sponsored threat group that was recently held responsible for compromising the networks of major US telecommunications companies, including Verizon, AT&T, and Lumen Technologies in late September, 2024.

In the latest campaign, RedMike targeted internet-facing Cisco network devices vulnerable to two privilege escalation flaws: CVE-2023-20198 and CVE-2023-20273. Disclosed by Cisco in October 2023, CVE-2023-20198 is a privilege escalation vulnerability in the Cisco IOS XE software web UI (version 16 and earlier). RedMike was observed exploiting this flaw to gain initial access to targeted devices, create a local user account, and then use this account to exploit CVE-2023-20273, ultimately escalating privileges to gain root access. Researchers note that the privileged account was further used to change the device's configuration and add a GRE tunnel for persistent access and data exfiltration.

Security Officer Comments:
Between December 2024 to January 2025, RedMike engaged in scanning and exploitation activity on six different occasions. During this time, the group was able to identify more than 12,000 Cisco network devices with the web UIs exposed to the internet, majority of which resided in the United States, South America, and India. However, only 1,000 of these devices were targeted, highlighting a highly selective campaign, singling out devices linked to telecommunication providers. Notably, the Insikt Group observed seven compromised Cisco network devices communicating with RedMike infrastructure. These devices were associated with a US-based affiliate of a UK telecommunications provider, a US internet service provider and telecommunications company, a South African telecommunications provider, an Italian ISP, and a large telecommunications provider in Thailand. RedMike was also observed targeting devices associated with universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the United States, and Vietnam. The Insikt Group speculates that these universities were targeted to acquire intelligence property and valuable research data in areas related to telecommunications, engineering, and technology.

Suggested Corrections:
RedMike’s activities go beyond technical exploitation, focusing on strategic intelligence goals. Persistent access to telecommunications networks allows state-backed actors to monitor communications in real-time, disrupt services during geopolitical conflicts, and manipulate data flows for intelligence or propaganda purposes. To mitigate such threats, organizations should immediately apply updates for vulnerabilities like CVE-2023-20198 and CVE-2023-20273, restrict exposure of web UIs on public-facing devices, monitor for unauthorized configuration changes or GRE tunnel activity, and use end-to-end encryption for sensitive communications.

Link(s):
https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices