RedMike attempted to exploit privilege escalation on global devices.
A continued campaign by the Chinese Salt Typhoon group saw the attempted compromise of more than 1,000 Cisco network devices.
According to new research from Recorded Future, a campaign that ran throughout in December and January was identified, where telecommunications providers were targeted.
The attack group, named RedMike by Recorded Future researchers, attempted to exploit CVE-2023-20198, a privilege escalation vulnerability found in the web user interface feature in Cisco IOS XE software for initial access. A second vulnerability - CVE-2023-20273 - was also exploited for associated privilege escalation, and to gain root privileges.
More than half of the Cisco devices targeted by RedMike were in the US, South America, and India. The remaining devices spanned over 100 other countries.
Researchers said that although the selected devices are primarily associated with telecommunications providers, thirteen were linked to universities across Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the US, and Vietnam.
Strategic Intelligence Threat
With targets based globally, the Recorded Future researchers said RedMike’s exploitation of telecommunications infrastructure goes beyond technical vulnerabilities and represents a strategic intelligence threat.
“Persistent access to critical communications networks enables state-backed threat actors to monitor confidential conversations, manipulate data flows, and disrupt services during geopolitical conflicts,” they said.
“RedMike’s targeting of lawful intercept programs and US political figures highlights the strategic intelligence objectives behind these operations and the national security threat they pose.”
Not Validated
In a statement emailed to SC UK, a spokesperson for Cisco said they are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. "To date, we have not been able to validate these claims but continue to review available data," they said.
"In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
