Critical Infrastructure Security,
Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Chinese Hackers Target Unpatched Microsoft, Sophos, Fortinet, and Ivanti Products
In a significant breach, Chinese state-sponsored hackers have been exploiting vulnerabilities in the telecommunications networks of the U.S. and other countries. These attackers, associated with a hacking campaign known as Salt Typhoon, have gained access by taking advantage of known flaws in products from various vendors that were not properly patched by their targets.
According to cybersecurity firm Tenable, a staggering 91% of potentially vulnerable Microsoft Exchange Servers—approximately 30,000 systems—are still unpatched despite a remedy being issued in 2021. This lack of responsiveness poses a severe risk, highlighting vulnerabilities that could enable extensive network infiltration.
The Salt Typhoon group has reportedly been involved in attacks against nine telecommunications companies in the U.S. among several others worldwide. Recent actions by the U.S. Department of the Treasury include financial sanctions against a private Chinese hacking firm and an individual linked to China’s Ministry of State Security, emphasizing the seriousness of these state-sponsored cyber threats.
Experts warn that the group primarily gains access to targeted networks through external-facing assets, exploiting recognized vulnerabilities. In a recent analysis, Scott Caveza from Tenable noted that Salt Typhoon’s tactics typically involve exploiting existing weaknesses to establish initial access and maintain persistence within a victim’s environment.
The vulnerabilities associated with Salt Typhoon include several severe flaws. For instance, the Microsoft Exchange Server’s ProxyLogon vulnerability (CVE-2021-26855) and issues in Sophos Firewall (CVE-2022-3236) have CVSS scores nearing 10, indicating their critical nature. Notably, many of these vulnerabilities have been leveraged in other cyberattacks, including those carried out by ransomware groups, underlining the wide-reaching implications of these weaknesses.
Despite the identified risks, organizational responses have been inadequate. With the overwhelming majority of systems at risk remaining unpatched, the cybersecurity landscape remains perilously exposed. Notably, users of Ivanti’s products showed a more positive trend, with 92% of the vulnerable systems reportedly patched.
The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted the threat posed by Salt Typhoon, particularly targeting Cisco products, and has advised organizations to tighten their device configurations. This includes disabling certain features like the Smart Install auto-loading, which can serve as a vector for exploitation if left enabled.
As the landscape of state-sponsored attacks evolves, it becomes increasingly critical for organizations to maintain rigorous cybersecurity practices. Vigilant patch management and immediate remediation of known vulnerabilities are crucial defense strategies in warding off sophisticated threats posed by nation-state actors like Salt Typhoon. Without significant improvements to these security measures, U.S. telecommunications and various other sectors may remain at high risk of cyber exploitation.
