The Canadian Centre for Cyber Security and the US Federal Bureau of Investigation (FBI) have issued a joint advisory warning of an ongoing cyber espionage campaign attributed to China-linked threat actors known as Salt Typhoon.
According to the alert, the actors exploited a critical vulnerability in Cisco IOS XE software (CVE-2023-20198) to compromise three network devices operated by a Canadian telecommunications firm in mid-February. The victim company has not been named.
Investigators say the attackers accessed configuration files and modified at least one to set up a Generic Routing Encapsulation (GRE) tunnel for covert traffic collection across the network. The agencies warn that the breach could facilitate further intrusions across other sectors, suggesting the campaign likely extends beyond telecommunications.
Cybersecurity firm Recorded Future previously reported similar exploits of CVE-2023-20198 and CVE-2023-20273 to infiltrate telecom and internet firms in the US, South Africa, and Italy.
Separately, the UK’s National Cyber Security Centre (NCSC) has released security advisories detailing two new malware families dubbed “UMBRELLA STAND” and “SHOE RACK,” that target Fortinet’s FortiGate 100D firewalls. SHOE RACK, a stealthy post-exploitation tool, uses reverse SSH tunneling and DNS-over-HTTPS (DoH) to maintain covert access.
UMBRELLA STAND is capable of executing remote commands, adjusting beacon intervals, and communicating via AES-encrypted channels.