Dive Brief:
-
GreyNoise researchers observed active exploitation of two Cisco vulnerabilities, CVE-2018-0171 and CVE-2023-20198, which reportedly have been used in recent attacks by the Chinese nation-state threat group known as Salt Typhoon.
-
Attackers exploited CVE-2018-0171, a vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software, between December 2024 and January of this year. Cisco Talos researchers last week said they observed a recent attack in which Salt Typhoon actors exploited the flaw, but they found no other evidence of Cisco vulnerabilities being used by the group.
- In a threat report earlier this month, Recorded Future’s Insikt Group said it observed Salt Typhoon attacks between December and January where threat actors exploited CVE-2023-20198, a critical privilege escalation vulnerability, against unpatched Cisco devices.
Dive Insight:
GreyNoise’s findings are the latest research on threat activity connected to Salt Typhoon. The Chinese state-sponsored threat group was responsible for several high-profile breaches of U.S. telecom companies, including AT&T, Verizon and T-Mobile, that first came to light last fall. In those attacks, Salt Typhoon accessed private communications for high-value individuals and obtained data related to law enforcement requests.
Recorded Future discovered Salt Typhoon’s campaign against telecom organizations continued in December and January. Insikt Group researchers found the threat group had compromised five more telecom providers, including two based in the U.S., by exploiting CVE-2023-20198 and CVE-2023-20273 to gain initial access.
In a blog post Monday, GreyNoise warned of additional threat activity against Cisco vulnerabilities. “Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and the United States — the same period when Salt Typhoon, a Chinese state-sponsored threat group, reportedly breached telecom networks using CVE-2023-20198 and CVE-2023-20273,” the threat intelligence company said.
GreyNoise also observed recent exploitation of CVE-2023-20198 against unpatched Cisco devices. According to the blog post, 110 malicious IPs, primarily from Bulgaria, Brazil and Singapore, targeted the flaw.
It’s unclear what threat actors are behind the observed threat activity. In a statement to Cybersecurity Dive, the company emphasized that the attacks on CVE-2018-0171 overlap with the reported exploitation of CVE-2023-20198 and CVE-2023-20273. However, the blog post did not attribute the exploitation to Salt Typhoon or any specific threat actors.
Similarly, GreyNoise said it’s unclear who is behind the recent exploitation of CVE-2023-20198. Cybersecurity Dive asked the company if multiple threat actors could be responsible for the attacks, given the number of IP addresses involved.
“At this point, we do not have enough evidence to identify how many threat actors were involved, and we do not feel comfortable speculating,” GreyNoise said in an email.