Salt Typhoon exploits unpatched Cisco devices in campaign against telecoms.

Summary

By the CyberWire staff

At a glance.

Salt Typhoon exploits unpatched Cisco devices in continued campaign against telecoms.
Russia's Seashell Blizzard expands its targeting.
Fortinet patches high-severity flaw.

Salt Typhoon exploits unpatched Cisco devices in continued campaign against telecoms.

Recorded Future's Insikt Group warns that the Chinese state-sponsored threat actor Salt Typhoon (which Insikt Group tracks as "RedMike") continues to target telecommunication companies. Between December 2024 and January 2025, the researchers observed a campaign that exploited unpatched internet-facing Cisco network devices to compromise several organizations, including the US-based affiliate of a UK telecom provider and a South African telecom provider. The attacks exploited CVE-2023-20273, a privilege escalation flaw affecting the web UI feature of Cisco IOS XE Software.

Insikt Group states, "RedMike has attempted to exploit more than 1,000 Cisco devices globally. The group likely compiled a list of target devices based on their association with telecommunications providers' networks. Insikt Group also observed RedMike targeting devices associated with universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the United States (US), and Vietnam. RedMike possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like UCLA and TU Delft. In addition to this activity, in mid-December 2024, RedMike also carried out a reconnaissance of multiple IP addresses owned by a Myanmar-based telecommunications provider, Mytel."

Stop Identity-Based Cybercrime with SpyCloud’s Holistic Identity Threat Protection

Stolen identity data is the hot commodity for cybercriminals. With the full scope of your users’ digital footprints at risk for exposure, traditional account-centric security is no longer enough to protect your business from cyberattacks. SpyCloud helps security teams correlate and automatically remediate individuals' hidden identity exposures from breaches, malware, and phishing across their many online personas. Eliminate identity-based cyber threats and proactively defend against account takeover, fraud, and ransomware with SpyCloud.

Russia's Seashell Blizzard expands its targeting.

Microsoft has published a report on a hacking campaign dubbed "BadPilot" run by a subgroup of the threat actor Seashell Blizzard (also known as "Sandworm"), which is attributed to a unit of Russia's GRU. BadPilot is a multiyear initial access operation targeting vulnerable Internet-facing infrastructure. Notably, the group has expanded its targeting from Eastern Europe and Asia to include the US, the UK, Canada, and Australia.

Microsoft states, "Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises. Observed operations following initial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across sensitive sectors including energy, oil and gas, telecommunications, shipping, [and] arms manufacturing, in addition to international governments."

Fortinet patches high-severity flaw.

Fortinet has issued a patch for a high-severity vulnerability (CVE-2024-40591) affecting FortiOS Security Fabric, HackRead reports. The flaw can allow "an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control."

Notes.

Today's issue includes events affecting Argentina, Australia, Bangladesh, Canada, China, Indonesia, Malaysia, Mexico, Myanmar, the Netherlands, Russia, South Africa, Thailand, the United Kingdom, and the United States.

Attacks, Threats, and Vulnerabilities

Chinese espionage tools deployed in RA World ransomware attack (BleepingComputer) A China-based threat actor, tracked as Emperor Dragonfly and commonly associated with cybercriminal endeavors, has been observed using in a ransomware attack a toolset previously attributed to espionage actors.

Trends

AU10TIX Year-End Report on Global Identity Fraud Names 2024 ‘The Year of Fraud-as-a-Service (FaaS)’ (AU10TIX) FaaS has elevated cybercrime, enabling a whole cohort of the population to join in on global fraud by launching large-scale attacks involving up to 8,000+ incidents,” said Dan Yerushalmi, CEO of AU10TIX.

Gen Q4 Threat Report: 321 Threats Blocked Per Second as Social Media Becomes a Playground for Scammers (Gen Digital Newsroom) Social media, AI and human trust led to a record-breaking year of advanced scams and personal data loss TEMPE, Ariz. and PRAGUE, Feb. 13, 2025 /PRNewswire/ -- Gen™ (NASDAQ: GEN), a global leader...

Marketplace

Consortium Acquires Metrics that Matter® to Create the First Next Generation Value-Added Reseller (PR Newswire) /PRNewswire/ -- Cybersecurity leaders deploy an overwhelming number of security tools, yet breaches and financial losses continue to rise. Despite spending...

Products, Services, and Solutions

CrowdStrike Unveils Charlotte AI Detection Triage for Faster SOC Triage (CrowdStrike) CrowdStrike's Charlotte AI Detection Triage automates endpoint detection triage, saving SOC teams 40+ hours per week and delivering expert-level threat analysis at machine speed.

Grip Security Launches Industry’s Only SaaS Security Posture Management Solution Built on a Foundation of Visibility and Automation (GlobeNewswire News Room) Innovation enables companies to programmatically address SaaS security risks...

When ROI Falls Short: A Guide to Measuring the Value of Cybersecurity Investments with Return on Mitigation (HackerOne) A Guide to Measuring the Value of Cybersecurity Investments with Return on Mitigation

BlackFog Launches World’s First Anti Data Exfiltration Solution for macOS to Combat Ransomware (BlackFog) BlackFog launches the world’s first anti data exfiltration solution for macOS, preventing ransomware and data breaches with AI-powered security.

Legislation, Policy, and Regulation

House Republicans launch group for comprehensive data privacy legislation (The Record) The GOP leadership of the House Energy and Commerce Committee has created a working group for creating comprehensive data privacy legislation.

EFF Leads Fight Against DOGE’s Access to US Federal Workers’ Data (Infosecurity Magazine) The Electronic Frontier Foundation has requested a US federal court to block Elon Musk’s DOGE access to US Office of Personnel Management Data

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

FutureCon Baltimore (Baltimore, Maryland, USA, Feb 13, 2025) Hear from our esteemed speakers while gaining up to 10 CPE credits. Immerse yourself in the latest cybersecurity developments to gain valuable insights in today’s dynamic threat landscape. Learn how to effectively manage risk, demo the newest technologies from an array of different sponsors, and network with your local community.

Zero Trust World 2025 (Orlando, Florida, USA, Feb 19 - 21, 2025) Whether you’re Zero Trust curious, actively adopting, or simply want to harden your cybersecurity, Zero Trust World provides education and training to support IT professionals. Through thought leadership and hands-on hacking labs, you’ll explore the threat landscape and what’s possible by changing your defense strategy to default-deny.

The Business of Space Conference (Huntsville, Alabama, Feb 23 - 25, 2025) Engage with top academics, business leaders, innovators, and policy influencers working on the new space economy. Dive into keynote presentations and discussions that foster collaboration between researchers and space economy industry stakeholders. These conversations will present the latest insights into the new space economy and shape future academic and policy research.

GovMilSpace (Washington, DC, USA, Mar 10 - 13, 2025) Demystify the future of space technology. In alignment with the SATELLITE Conference & Exhibition, GovMilSpace brings together government and military agencies, the intelligence community, and satellite and space industry partners to explore how private industry can enhance critical missions for the U.S. and its global allies.

Satellite 2025 (Washington, DC, USA, Mar 10 - 13, 2025) For 40+ years SATELLITE has gathered the global space and satellite communities for four immersive days of enterprise, insights, and innovation. This year, with the debut of GovMilSpace, SATELLITE expands its reach to address the needs and priorities of the defense sector.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 02.13.25