Daily Briefing for 03.06.25

At a glance.

• US Justice Department charges employees of Chinese IT contractor i-Soon.
• Silk Typhoon targets the IT supply chain for initial access.
• Thousands of VMware ESXi instances remain vulnerable to actively exploited flaws.

US Justice Department charges employees of Chinese IT contractor i-Soon.

The US Justice Department has charged twelve Chinese nationals for their alleged involvement in hacking US entities on behalf of the Chinese government. Two of the individuals are officers with the PRC's Ministry of Public Security (MPS), and eight are employees of Chinese IT security contractor i-Soon. Two additional defendants are freelancers tied to the APT27 threat actor, who assisted i-Soon in some operations.

The Justice Department says the MPS and the Ministry of State Security (MSS) hired i-Soon to carry out espionage campaigns against organizations around the globe, including the US Defense Intelligence Agency, the US Commerce Department, a major US religious organization, and news organizations based in the US and Hong Kong. i-Soon also allegedly hacked the foreign ministries of India, Indonesia, South Korea, and Taiwan. The FBI says i-Soon's activities have been publicly tracked as Aquatic Panda, Red Alpha, Red Hotel, Charcoal Typhoon, Red Scylla, Hassium, Chromium, and TAG-22.

Justice said in a press release, "From approximately 2016 through 2023, i-Soon and its personnel engaged in the numerous and widespread hacking of email accounts, cell phones, servers, and websites at the direction of, and in close coordination with, the PRC’s MSS and MPS. i-Soon generated tens of millions of dollars in revenue and at times had over 100 employees. i-Soon’s primary customers were PRC government agencies. It worked with at least 43 different MSS or MPS bureaus and charged the MSS and MPS between approximately $10,000 and $75,000 for each email inbox it successfully hacked."

i-Soon sustained a major breach in early 2024 that exposed its inner workings and ties to the Chinese government, as well as its hacking tools and services.

Silk Typhoon targets the IT supply chain for initial access.

Microsoft has published a report on the Chinese espionage actor Silk Typhoon, finding the group is "now targeting common IT solutions like remote management tools and cloud applications to gain initial access." Microsoft states, "While they haven’t been observed directly targeting Microsoft cloud services, they do exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities. After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives."

BleepingComputer notes that Silk Typhoon recently made headlines for hacking the US Treasury's Office of Foreign Assets Control (OFAC) in December 2024.

Thousands of VMware ESXi instances remain vulnerable to actively exploited flaws.

Tens of thousands of VMware ESXi instances remain vulnerable to a chain of actively exploited vulnerabilities disclosed on Tuesday, SecurityWeek reports. The vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) can allow an attacker to perform a VM escape and gain access to the ESXi hypervisor. Security researcher Kevin Beaumont explains that attackers can "[u]se that to access every other VM, and be on the management network of VMware cluster." Beaumont added, "[Once] you have this level of access, traditionally you'll see groups like ransomware actors steal files and wipe things."

While the vulnerabilities are being exploited by unnamed threat actors, details of the exploit aren't yet publicly available. Organizations should prioritize patching before an exploit is released.