Headline
UK and US Blame Three Chinese Tech Firms for Global Cyberattacks
A coalition of international cybersecurity agencies led by the UK’s National Cyber Security Centre (NCSC) has publicly linked…
A coalition of international cybersecurity agencies led by the UK’s National Cyber Security Centre (NCSC) has publicly linked three China-based technology companies to a long-running global cyberattack campaign.
In a new advisory, the NCSC and partners from twelve other countries, the United States, Australia, Canada, New Zealand, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain shared technical details about a campaign that has targeted critical networks since at least 2021.
The attacks have impacted several high-profile organisations around the world in sectors like government, telecommunications, transportation, and military infrastructure. The data stolen could ultimately provide Chinese intelligence services with the ability to track communications and movements on a global scale.
****An Unrestrained Campaign****
According to the advisory (PDF), the three China-based companies, “Sichuan Juxinhe Network Technology Co Ltd,” “Beijing Huanyu Tianqiong Information Technology Co,” and “Sichuan Zhixin Ruijie Network Technology Co Ltd,” provide cyber-related services to China’s intelligence agencies.
NCSC chief executive Dr. Richard Horne expressed deep concern, stating that this activity is an “unrestrained campaign of malicious cyber activities on a global scale.” The campaign partially overlaps with a group commonly known as Salt Typhoon. Other groups linked to this campaign include the following:
- RedMike
- UNC5807
- GhostEmperor
- OPERATOR PANDA
A key finding, as per the US National Security Agency’s press release, is that the attackers have been successful not by using new or complex hacking tools, but by taking advantage of old, well-known vulnerabilities that organisations should have already fixed with security updates.
The campaign successfully exploited flaws in devices from major companies like Ivanti (CVE-2024-21887), Palo Alto Networks (CVE-2024-3400), and Cisco (CVE-2023-20273, CVE-2023-20198, and CVE-2018-0171).
This means that many of these attacks could have been easily avoided. Instead of developing new methods, the hackers simply exploit weaknesses that have been left unpatched.
****What Organisations Can Do****
Given the seriousness of the threat, the agencies are strongly urging organisations to take immediate action. They are advised to proactively look for malicious activity on their networks.
The advisory also provides a specific warning, including that organisations should gain a full understanding of the attackers’ presence before trying to remove them to ensure they can achieve a complete “eviction” from the network.
The advisory also points out the importance of guaranteeing that internet-facing devices are properly secured and that all available security updates are applied. As Dr. Horne emphasised, network defenders must remain vigilant and continuously review their systems for any signs of unusual activity.
****Expert Analysis****
John Hultquist, the Chief Analyst at Google’s Threat Intelligence Group, provided a statement exclusively to Hackread.com, offering further insight into the threat. He noted that the hacking group has a “unique advantage” in evading detection because of its deep expertise in telecommunications systems.
According to Hultquist, Chinese cyber espionage is powered by an “ecosystem of contractors, academics, and other facilitators” who are used to create tools and carry out the attacks. He explained that this model has allowed their operations to grow to an “unprecedented scale.”
Hultquist also highlighted that the reported targeting of hospitality and transportation sectors suggests a goal beyond corporate espionage: gathering information to “closely surveil individuals” and build a complete picture of who they are communicating with, their location, and where they travel.
Related news
Amy (ahem, Special Agent Dale Cooper) shares lessons from their trip to the Olympic Peninsula and cybersecurity travel tips for your last-minute adventures.
FBI and Cisco warn Russian hackers are exploiting a 7-year-old Cisco Smart Install vulnerability on outdated routers and…
A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering.
Salt Typhoon, a China-linked group, is exploiting router flaws to spy on global telecoms, warns a joint FBI and Canadian advisory issued in June 2025.
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention.
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention.
RansomHub emerges as a major ransomware threat in 2024, targeting 600 organizations after ALPHV and LockBit disruptions. Group-IB…
The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.
The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.
Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations. Recorded Future's Insikt Group is tracking the activity under the temporary moniker TAG-100, noting that the adversary likely compromised organizations in at least ten countries across Africa, Asia, North America,
By Waqas The Llama Drama vulnerability in the Llama-cpp-Python package exposes AI models to remote code execution (RCE) attacks, enabling attackers to steal data. Currently, over 6,000 models are affected by this vulnerability. This is a post from HackRead.com Read the original post: AI Python Package Flaw ‘Llama Drama’ Threatens Software Supply Chain
Though PAN originally described the attacks exploiting the vulnerability as being limited, they are increasingly growing in volume, with more exploits disclosed by outside parties.
Growing attacks targeting the flaw prompted CISA to include it in the known exploited vulnerabilities catalog earlier this month.
This Metasploit module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry collection on (default). Multiple versions are affected. Payloads may take up to one hour to execute, depending on how often the telemetry service is set to run.
Palo Alto PAN-OS versions prior to 11.1.2-h3 command injection and arbitrary file creation exploit.
By cybernewswire Las Vegas, United States, April 17th, 2024, CyberNewsWire Zero Knowledge Networking vendor shrugs off firewall flaw In the… This is a post from HackRead.com Read the original post: Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)
Palo Alto OS was recently hit by a command injection zero day attack. These are exploitation details related to the zero day.
A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.
By Deeba Ahmed Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware! This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.
This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f...
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 as part of an exploit chain. "The attacker first
A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.
A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.
Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.