Canadian provider: Unpatched Cisco security vulnerability as a gateway
The Canadian IT security authority has attributed attacks on telco providers to Chinese actors. They broke in through an unpatched Cisco gap.
(Image: heise online / dmk)
An unpatched security vulnerability in Cisco routers has been used by a Chinese cyber gang as an entry point into the network of a Canadian telecommunications provider. This is reported by the IT security authority “Canadian Centre for Cybersecurity” (or “Cyber Centre” for short) and warns of current attacks by state-supported Chinese cyber gangs.
The Cyber Centre published the analysis together with the US FBI. In doing so, the authorities want to warn of the danger posed by Chinese state-backed threat actors who want to infiltrate and spy on global telecommunications providers. The Salt Typhoon group in particular stands out.
Malicious actors: entry via old Cisco gap
According to the report, the attacks are currently also targeting Canadian telecommunications providers. Members of the Salt Typhoon group were able to penetrate an unnamed provider in mid-February of this year. They abused the vulnerability CVE-2023-20198 (EUVD-2023-24377) to collect the configuration files of three vulnerable devices and manipulate them on at least one, so that data could be leaked from the network via a GRE tunnel configured in the process.
The vulnerability affects Cisco's IOS XE. The Linux-based system runs on Cisco routers and switches and comes with a web-based user interface. If this is active, attackers can abuse the vulnerability to directly take complete control of the vulnerable system. The developers therefore classify the vulnerability as a “critical” risk with a CVSS score of 10.0, which is the highest score. The vulnerability became known in October 2023 and Cisco provided updated software to close it. The Canadian telco provider under attack apparently did not install it for over a year.
Videos by heise
Investigations by the IT experts at the Cyber Centre indicate that the targets extend further than just the telecommunications sector. In some cases, compromising the devices made it possible to spy on networks or infect other devices, while in others it was simply a matter of accessing infiltrated devices again later (reconnaissance). IT security experts expect further attacks by the Chinese-controlled cyber gang over the next two years. Telecommunications providers are the highest priority, as this is where attackers can spy the furthest.
Attack targets are vulnerabilities in security and network devices at the network perimeter, including routers, firewalls, and VPN solutions. Security loopholes there must therefore be closed as quickly as possible.
The criminal online gang Salt Typhon, which is associated with China, is also very active in the USA. At the end of 2024, IT experts discovered cyberattacks on several major telecommunications providers in the USA. The attackers broke into AT&T, T-Mobile, Verizon, and other US providers. However, the vulnerabilities that the perpetrators abused were not made public.
(dmk)
