Chinese hackers: attacks exploit flaws known since 2021Chinese hackers: attacks exploit flaws known since 2021

by Felipe Guimarães, Chief Information Security Officer, Solo Iron

The recent attacks allegedly carried out by the Chinese group Salt Typhoon on telecommunications companies and countries – including Brazil – have put the whole world on alert. News reports speak of the level of sophistication of the invasions and, what is more alarming – the criminals are theoretically still inside the networks of these companies.

The first information about this group emerged in 2021, when Microsoft’s Threat Intelligence team released information about how China had successfully infiltrated several internet service providers in order to monitor the companies – and capture data. One of the first attacks carried out by the group was through a breach in Cisco routers, which served as a gateway to monitor internet activity taking place through these devices. Once access was gained, the hackers were able to expand their reach to additional networks. In October 2021, Kaspersky confirmed that the cybercriminals had already expanded their attacks to other countries such as Vietnam, Indonesia, Thailand, Malaysia, Egypt, Ethiopia and Afghanistan.

If the first vulnerabilities were already known in 2021 – why are we still being attacked? The answer lies precisely in how we deal with these vulnerabilities on a daily basis.

Breach method

Now, in the last few days, information from the US government has confirmed a series of attacks on “companies and countries” – which would have happened from known vulnerabilities in a VPN application, from the manufacturer Ivanti, in Fortinet Forticlient EMS, used to monitor servers, in Sophos firewalls and also in Microsoft Exchange servers.

The Microsoft vulnerability was disclosed in 2021 when, shortly afterwards, the company published patches. The flaw in Sophos firewalls was published in 2022 – and patched in September 2023. The problems found in Forticlient were made public in 2023, and corrected in March 2024 – as well as those in Ivanti, which also had its CVEs (Common Vulnerabilities and Exposures) registered in 2023. The company, however, only patched the vulnerability last October.

All these vulnerabilities allowed criminals to easily infiltrate the attacked networks, using legitimate credentials and software, which makes detecting these intrusions almost impossible. From there, the criminals moved laterally within these networks, deploying malware, which aided their long-term espionage work.

What is alarming about the recent attacks is that the methods used by the Salt Typhoon hackers are consistent with the long-term tactics observed in previous campaigns attributed to Chinese state agents. These methods include using legitimate credentials to mask malicious activities as routine operations, making it difficult for conventional security systems to identify them. The focus on widely used software, such as VPNs and firewalls, demonstrates an in-depth knowledge of vulnerabilities in corporate and government environments.

The problem of vulnerabilities

The vulnerabilities exploited also reveal a worrying pattern: delays in applying patches and updates. Despite the patches made available by manufacturers, the operational reality of many companies makes it difficult to implement these solutions immediately. Compatibility tests, the need to avoid interruptions to mission-critical systems and, in some cases, a lack of awareness about the seriousness of the flaws all contribute to increasing the window of exposure.

This issue is not only technical, but also organizational and strategic, involving processes, priorities and, often, corporate culture.

One critical aspect is that many companies treat patching as a “secondary” task compared to operational continuity. This creates the so-called downtime dilemma, where leaders have to decide between the momentary interruption of services to update systems and the potential risk of future exploitation. However, recent attacks show that delaying these updates can be much more costly, both in financial and reputational terms.

In addition, compatibility testing is a common bottleneck. Many corporate environments, especially in sectors such as telecommunications, operate with a complex combination of legacy and modern technologies. This means that each update requires considerable effort to ensure that the patch doesn’t cause problems in dependent systems. This kind of care is understandable, but can be mitigated by adopting practices such as more robust test environments and automated validation processes.

Another point that contributes to delays in applying patches is a lack of awareness about the seriousness of faults. IT teams often underestimate the importance of a specific CVE, especially when it hasn’t been widely explored so far. The problem is that the window of opportunity for attackers can open before organizations realize the seriousness of the problem. This is an area where threat intelligence and clear communication between technology providers and companies can make all the difference.

Finally, companies need to adopt a more proactive and prioritized approach to vulnerability management, which includes automating patching processes, segmenting networks to limit the impact of possible intrusions and regularly simulating possible attacks, which helps to find potential “weak points”.

The issue of delayed patches and updates is not only a technical challenge, but also an opportunity for organizations to transform their security approach, making it more agile, adaptable and resilient. Above all, this mode of operation is not new, and hundreds of other attacks are carried out using the same modus operandi, based on vulnerabilities that are used as a gateway. Taking advantage of this lesson could be the difference between being a victim or being prepared for the next attack.

About Solo Iron:
Solo Iron is Solo Network’s cybersecurity vertical specialized in offering end-to-end corporate cyber protection through a highly specialized team and solutions from the world’s leading cybersecurity technology manufacturers. Bringing together the expertise and background of more than 20 years of Solo Network experience, the Solo Iron portfolio offers solutions ranging from endpoint protection to fully managed SOC.

By admin