{ "id": "3be3eaf4-3bb4-4b5a-b369-35f7c7c03310", "created_at": "2026-04-06T00:09:39.170647Z", "updated_at": "2026-04-10T03:34:28.260574Z", "deleted_at": null, "sha1_hash": "d365ab462127b407a36eb3696d11e2fcdf1a0508", "title": "The Persistent Threat of Salt Typhoon: Tracking Exposures of Potentially Targeted Devices - Censys", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 411407, "plain_text": "The Persistent Threat of Salt Typhoon: Tracking Exposures of\r\nPotentially Targeted Devices - Censys\r\nBy Ivonne Francia\r\nPublished: 2025-04-25 · Archived: 2026-04-05 18:32:45 UTC\r\nExecutive Summary\r\nSalt Typhoon (also known as FamousSparrow/GhostEmperor/RedMike/UNC2286) is a Chinese state-sponsored threat actor that has compromised major telecommunications providers worldwide\r\nAlthough confirmed IOCs for Salt Typhoon remain sparse, public reporting suggests that their campaigns\r\nagainst telecommunications providers target known vulnerabilities in publicly available network device\r\ninterfaces to gain initial entry\r\nWe track global exposures of internet-facing network devices associated–either loosely or directly–with\r\nSalt Typhoon activity over the past six months, including: Sophos Firewalls, Cisco IOS XE WebUIs, Ivanti\r\nConnect Secure, and Fortinet FortiClient EMS systems. When version data was available, we also\r\nmeasured how many devices were running versions known to be vulnerable to the CVEs discussed. \r\nIt’s important to note that in this campaign, even fully patched device exposures can potentially pose a\r\nrisk, as Salt Typhoon and similar actors often bypass exploitation entirely by using stolen credentials.\r\nUnderstanding how exposure has evolved over time can help us assess both the evolving scale of the threat\r\nfrom this campaign and how organizations may be responding at large\r\nWhile definitive attribution to Salt Typhoon remains vague, these network device vulnerabilities represent\r\ncritical security priorities in that they often provide direct access to internal networks and sensitive\r\nresources\r\nA six-month trend analysis reveals:\r\nOverall combined exposure of tracked network devices has decreased by 25% since October\r\n2024.\r\nThe largest reduction came from Sophos Firewall web interfaces, which saw a 35% drop in\r\nexposures (over 70,000 instances)\r\nCisco IOS XE was the only platform to show a net increase, albeit minimal, with\r\nexposures rising by approximately 7% (over 3,000 instances)\r\nIvanti Connect Secure and FortiClient EMS exposures showed minimal net change, but\r\ntrended slightly downward, with decreases by 13% and 3% respectively \r\nGeographically, the majority of current exposures remain concentrated in the United States, except for\r\nSophos XG Firewall exposures which are concentrated in Germany\r\nThe persistence of relatively large numbers of these devices on the internet raises key questions about why\r\nthese systems are still online and what large drops in exposure may actually reflect: successful remediation,\r\nroutine device reconfigurations, or something else.\r\nBackground\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 1 of 12\n\nState-sponsored threat actors have increasingly targeted network infrastructure– routers, VPNs, and other edge\r\ndevices essential to securing the perimeter. Among them, Salt Typhoon (also known as Earth Estries,\r\nFamousSparrow, GhostEmperor, RedMike, and UNC2286), a threat group linked to the PRC, has gained attention\r\nfor its systematic exploitation of known network device vulnerabilities against telecommunications providers and\r\npublic sector environments. \r\nThis has included major incidents such as breaches of U.S. telecommunications providers, as reported by CISA\r\nand various media sources. In these campaigns, the group often gains access by exploiting unpatched network\r\ndevices, like Cisco routers, to gain persistent access to sensitive infrastructure and conduct follow-on exploits.\r\nThey are known for leveraging stealthy techniques such as disabling logs, routing through compromised\r\ninfrastructure, and avoiding traditional malware payloads entirely–relying instead on living-off-the-land\r\ntechniques and direct manipulation of device settings These tactics can make detection difficult for organizations\r\nthat rely on endpoint security monitoring. \r\nThis blog analyzes a set of known network device vulnerabilities that have been linked–though often tentatively–\r\nto Salt Typhoon in public reporting, and examines the global exposure of potentially affected devices. We’ll look\r\nat which devices are most affected, how their exposure has shifted over time, and why addressing these\r\nvulnerabilities is critical to defending against future campaigns. While direct evidence of exploitation varies and\r\nconfirmed IoCs remain rare, these vulnerabilities are nevertheless worth monitoring given their susceptibility to\r\nthreats.\r\nIt’s also worth noting that while CVEs are useful markers for tracking risk, threat actors often bypass the need to\r\nexploit altogether and simply log in. As Talos observed, in most incidents involving Cisco devices, access was\r\ngained through stolen credentials rather than exploited vulnerabilities. As such, even fully patched devices can be\r\nat risk. Monitoring all exposed network device interfaces on your systems remains critical.\r\nUnderstanding the Known Vulnerabilities Linked to Salt Typhoon\r\nWe analyzed CVEs in four distinct network device products that have appeared frequently in connection with Salt\r\nTyphoon across multiple intelligence sources, although this isn’t an exhaustive list. Attribution remains difficult\r\ndue to Salt Typhoon’s use of sophisticated evasion techniques, with much activity being associated based on\r\ninferences rather than direct first-party evidence. \r\nHowever, these vulnerabilities deserve attention regardless of their specific attribution status, since network\r\ndevices continue to be frequently targeted by multiple threat actor groups, and all have patches available. \r\nComparing Six-Month Exposure Trends Across All Affected Devices\r\nFor each device, we examine exposure trends over the past six months from October 2024 to April 2025 to assess\r\nhow the attack surface landscape has evolved in the aftermath of public disclosure of Salt Typhoon’s recent\r\ncampaign against telecommunications companies and the federal government.\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 2 of 12\n\nNote that Sophos XG Firewall data uses a different vertical scale to properly visualize its\r\nsignificantly higher exposure count compared to the other studied devices.\r\nCurrent Levels of Exposure:\r\nThese trends reveal a few key insights:\r\nThe combined exposure of network devices tracked in this analysis has decreased by 25% since October\r\n2024. This could be owing to any number of reasons, a few of which might be a shift in defensive posture\r\nor increased awareness of these risks.\r\nThis reduction was driven primarily by Sophos Firewall web interfaces, which saw a 35% drop (over\r\n70,000 fewer exposed instances), marking the most significant decline across all platforms.\r\nCisco IOS XE WebUI exposures were the exception, increasing by approximately 7% (over 3,000\r\nadditional instances), making it the only platform to show a net increase in publicly accessible interfaces.\r\nIvanti Connect Secure and FortiClient EMS exposures showed minor decreases, down 13% and 3%\r\nrespectively, indicating more consistent—but still exposed—attack surfaces.\r\nThe current absolute scale of exposure as of April 2025 varies widely across different devices– Sophos\r\nFirewall web interfaces account for around 133,000 exposed instances compared to about 3,000\r\nfor FortiClient EMS–suggesting a larger potential attack surface for Cisco-related vulnerabilities\r\nCisco IOS XE’s upward trend in exposure, despite increased attention to its vulnerabilities and active\r\nexploitation by threat actors, raises important questions about why these interfaces remain publicly\r\naccessible online–given that they are primarily intended for device management and configuration, not for\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 3 of 12\n\npublic-facing services. Cisco has recommended mitigating CVE-2023-20198 by limiting access to the\r\nHTTP Server to trusted networks to reduce exposure to these vulnerabilities.\r\nIn the following section, we examine each potentially targeted vulnerability, assessing its reported connection to\r\nSalt Typhoon and analyzing both current and historical exposure levels. While these devices are all publicly\r\naccessible, not all are necessarily vulnerable—yet their presence alone expands the attack surface and renders\r\norganizations more at risk of opportunistic scanning by threat actors. Even patched systems can be at risk if valid\r\ncredentials are compromised, making consistent exposure monitoring essential. This is especially critical for\r\nsectors like telecommunications and government, which remain key targets for Salt Typhoon.\r\nSophos Firewall RCE [CVE-2022-3236]\r\nVulnerability Type: Code Injection / RCE\r\nAffected Products: Sophos Firewall v19.0 MR1 (19.0.1) and older\r\nCVSS Score: 9.8\r\nTechnical Impact: Exploitable via the User Portal or Webadmin, allowing remote code execution\r\nwithout authentication. \r\nThis critical vulnerability enabled unauthenticated RCE through the web interfaces of certain versions of Sophos\r\nFirewalls. Trend Micro’s research on Salt Typhoon (dubbed “Earth Estries”) noted a potential connection to this\r\nvulnerability, stating they “currently only have low confidence that Earth Estries has previously deployed the\r\nMASOL RAT through CVE-2022-3236” and that they cannot rule out the possibility that MASOL RAT is a shared\r\ntool among limited Chinese APT threat groups.”\r\nExposure Snapshot: As of April 2025, Censys observed 132,997 exposed Sophos XG Firewall web interfaces,\r\nof which 9,462 were explicitly advertising a version that may potentially be vulnerable to CVE-2022-3236.\r\nComparatively, there were 204,569 overall exposed devices in October 2024. That’s a marked reduction by nearly\r\n35% of exposures, and the most dramatic decrease we saw across all the network device products we tracked.\r\nThis graph shows a gradual but steady decline in exposed Sophos Firewall XG web interfaces over the past six\r\nmonths, with a total drop of 71,572 devices since October 2024. Notably, January saw a brief and unusual spike—\r\nexposures increased by over 10,000 devices, followed quickly by a sharp drop. This type of rapid change is rare\r\nfor firewall products, which typically have stable configurations, and this pattern doesn’t align with any known\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 4 of 12\n\nSophos vulnerability disclosures or security advisories. One possible explanation is that the spike reflects a wave\r\nof honeypot deployments or new service configurations prompted by increased threat intelligence and vendor\r\nalerts related to Salt Typhoon activity at the start of the new year.\r\nWe then examined where most of the current exposures are hosted geographically, with exposure data from April\r\n22, 2025.\r\nInterestingly, Germany appears to have a dramatically higher concentration of Sophos exposures with 38,787\r\ninstances, more than double the 16,589 found in the United States. This is particularly striking given that Germany\r\nhosts far fewer internet-facing services than the U.S. overall. \r\nCisco IOS XE Web UI Privilege Escalation [CVE-2023-20198] and Command Injection [CVE-2023-20273]\r\nCVE-2023-20198:\r\nVulnerability Type: Privilege Escalation Vulnerability\r\nAffected Products: Web feature in Cisco IOS XE software\r\nCVSS Score: 10.0\r\nTechnical Impact: This vulnerability allows unauthenticated attackers to create a privileged level 15 user\r\naccount through the Web UI. Combined with CVE-2023-20273, it enables full control over vulnerable\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 5 of 12\n\nCisco IOS XE devices. \r\nCVE-2023-20273:\r\nVulnerability Type: Command Injection Vulnerability\r\nAffected Products: Web feature in Cisco IOS XE software\r\nCVSS Score: 7.2\r\nTechnical Impact: This vulnerability allows an authenticated attacker to perform command injection with\r\nroot privileges. Combined with CVE-2023-20198, it enables full control over vulnerable Cisco IOS XE\r\ndevices. \r\nCVE-2023-20198 is one of the more severe network device vulnerabilities of the past few years, allowing\r\nunauthenticated remote attackers to create admin accounts and compromise affected devices. RecordedFuture\r\nreported observing Salt Typhoon exploiting this vulnerability in a chain along with CVE-2023-20273 against\r\ndevices associated with telecommunications providers in particular, noting: “RedMike has attempted to exploit\r\nover 1,000 internet-facing Cisco network devices worldwide, primarily those associated with telecommunications\r\nproviders, using a combination of two privilege escalation vulnerabilities: CVE-2023-20198 and CVE-2023-\r\n20273.” They have then been observed to change device configurations and establish GRE tunnels for persistent\r\naccess.\r\nExposure Snapshot: As of April 2025, Censys observed 50,394 exposed devices that may potentially be affected\r\nby CVE-2023-20198 and CVE-2023-20273 compared to 47,219 exposed devices in October 2024. This snapshot\r\nreflects the total number of exposed, but not necessarily vulnerable devices, as we do not have specific version\r\ninformation available. \r\nInterestingly, the number of exposed devices increased moderately from October to December 2024, climbing by\r\n4,000 devices, before plateauing at around 50,000 instances. The minor monthly fluctuations in device counts\r\nlikely represent routine infrastructure changes rather than coordinated patching or segmentation efforts. This\r\nrelatively high level of exposure is concerning given the widespread warnings of exploitation of this threat.\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 6 of 12\n\nThe United States currently hosts the most exposed Cisco IOS XE Web UIs as of April 22, 2025 with 7,778\r\ninstances. Overall these exposures are mostly concentrated in the Americas, with five countries (U.S., Mexico,\r\nPeru, Brazil, and Chile) accounting for 60% of the top exposures worldwide. \r\nIvanti Connect Secure Authentication Bypass [CVE-2023-46805] and Command Injection [CVE-2024-21887]\r\nCVE-2023-46805:\r\nVulnerability Type: Authentication Bypass\r\nAffected Products: Ivanti Connect Secure and Policy Secure\r\nCVSS Score: 8.2\r\nTechnical Impact: Allows unauthenticated attackers to bypass authentication controls. Commonly\r\nexploited in conjunction with CVE-2024-21887, enabling remote command execution and full system\r\ncompromise.\r\nCVE-2024-21887:\r\nVulnerability Type: Command Injection\r\nAffected Products: Ivanti Connect Secure and Policy Secure\r\nCVSS Score: 9.1\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 7 of 12\n\nTechnical Impact: Allows remote, unauthenticated attackers to execute commands with elevated\r\nprivileges, potentially leading to full system compromise\r\nTrend Micro’s report on Earth Estries/Salt Typhoon states that the group actively exploits Ivanti Connect Secure\r\nVPN flaws to establish initial access to targeted networks. Their report notes a connection between specific\r\ncommand and control infrastructure and IoCs of the Ivanti exploits: “The frpc C\u0026C 165.154.227[.]192 could be\r\nlinked to an SSL certificate (SHA256: 2b5e7b17fc6e684ff026df3241af4a651fc2b55ca62f8f1f7e34ac8303db9a31)\r\npreviously used by ShadowPad, which is another shared tool among several Chinese APT groups. In addition, the\r\nC\u0026C IP address was also mentioned in a Fortinet report and indicators of compromise related to the Ivanti\r\nexploit.”\r\nExposure Snapshot: As of April 2025, Censys observed 22,958 exposed devices that may potentially be\r\nvulnerable to CVE-2023-46805, with 5,290 advertising a software version that is vulnerable to the exploit. By\r\ncontrast, we saw 26,367 exposed devices in October 2024.\r\nThere was a noticeable spike of 3,000 additional exposed Ivanti Connect Secure instances online in mid-December 2024–the timing of which interestingly coincided with Ivanti’s disclosure of six additional\r\nvulnerabilities in their Connect Secure and Policy Secure products. It’s possible that a portion of these new hosts\r\nwere honeypots deployed by organizations in response to the advisory–although odd that the increase was gradual,\r\nand started back in early November. Since then, exposure has steadily declined, although at a slow pace. \r\nAdditionally, on April 23 GreyNoise “observed a 9X spike in suspicious scanning activity targeting Ivanti Connect\r\nSecure (ICS) or Ivanti Pulse Secure (IPS) VPN systems.” They noted seeing 230 malicious IPs scanning ICS/IPS\r\nendpoints and suggested this activity may be related to “coordinated reconnaissance and possible preparation for\r\nfuture exploitation.”\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 8 of 12\n\nAs of April 22, 2025, the United States has the highest concentration of Ivanti Connect Secure exposures, with\r\n5,194 instances–more than double Japan’s 2,207 exposures in second place and over four times the exposure count\r\nof any other country in the top ten. Other exposures are spread broadly across Asia, Europe, and North America.\r\nFortinet FortiClient EMS SQL Injection [CVE-2023-48788]\r\nVulnerability Type: SQL Injection\r\nAffected Products: FortiClient Enterprise Management Server (EMS)\r\nCVSS Score: 9.8\r\nTechnical Impact: Allows unauthenticated, remote attackers to execute arbitrary SQL queries via\r\nspecially crafted requests. Successful exploitation can lead to unauthorized access and potential\r\nsystem control.\r\nThis critical vulnerability affects the FortiClient Enterprise Management Server (EMS), a central management\r\nsolution for enterprise endpoints. FortiGuard’s threat intelligence specifically identifies CVE-2023-48788 among\r\nthe key vulnerabilities exploited by Salt Typhoon, listing it alongside other “Known Infection Vectors” leveraged\r\nin their operations targeting infrastructure in the United States, Southeast Asia, and various African countries.\r\nExposure Snapshot: As of April 2025, Censys observed 2,800 exposed FortiClient EMS instances that may\r\npotentially be vulnerable to CVE-2023-48788, with 43 specifically exposing a version that is potentially\r\nvulnerable to the exploit. By contrast, we saw 2,888 exposed devices in October 2024.\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 9 of 12\n\nOver the past six months, exposed instances showed a mild initial rise by nearly 90 instances between October and\r\nDecember 2024, followed by a 14% decline through the end of the year to 2,562 instances by early January 2025,\r\nand a subsequent steady increase since. Rather than showing progress toward reducing the attack surface, these\r\nfluctuations likely indicate routine infrastructure changes happening as organizations decommission and deploy\r\nnew potentially vulnerable instances.\r\nAs of April 22, 2025, the United States has the highest concentration of FortiClient EMS exposures by far, with\r\n1,071 instances. Other instances are observed sparingly in Europe, Asia, and Africa.\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 10 of 12\n\nTakeaways\r\nOur six-month analysis paints a concerning picture: despite growing public awareness of Salt Typhoon’s activity,\r\nthere has been little meaningful reduction in exposed, reportedly targeted devices on the public internet—just 25%\r\nsince October 2024. This decline is largely due to large declines in Sophos Firewall exposures, while most other\r\nplatforms, including Ivanti and FortiClient EMS, show only minimal change. Somewhat perplexingly, exposures\r\nof Cisco IOS XE—one of the platforms that’s arguably most clearly linked to Salt Typhoon exploitation—have\r\nactually increased, albeit minimally.\r\nThough most exposed devices remain concentrated in the United States, Sophos Firewalls stand out as an\r\nexception, with the majority located in Germany—hinting at possible regional differences in threat visibility.\r\nIt’s entirely possible that some of these instances may be intentional honeypots, as hinted at by sudden spikes in\r\nexposure coinciding with vulnerability disclosures, but the broader long-term exposure trends suggest that many\r\norganizations are still struggling to reduce their attack surface. It’s also clear that there are particularly difficult\r\nchallenges defenders face in responding to this threat—especially given the combination of limited actionable\r\nintelligence, stealthy tactics, and the difficulty of securing widely deployed, internet-facing infrastructure.\r\nIt remains challenging to find publicly available, first-party sources for Salt Typhoon IoCs and TTPs. Many of the\r\nreports referenced above often cite reports by other authors rather than their own verified telemetry. These reports\r\nare still useful, but the lack of primary sources for Salt Typhoon technical indicators has created frustration in an\r\nindustry that often leans on the maxim “trust, but verify.” \r\nWhile the vulnerabilities examined above gained additional notoriety through association with Salt Typhoon,\r\nthey’re notable for another reason: they are all critical or high severity vulnerabilities in commonly targeted edge\r\ndevices. Even if Salt Typhoon never leveraged these particular vulnerabilities, other threat actors would continue\r\nto target these devices as they can be an excellent entry point to enterprise networks.\r\nEven when not directly vulnerable, the ongoing exposure of these devices poses meaningful security risks. Their\r\npresence on the public internet broadens the attack surface and offers threat actors like Salt Typhoon continued\r\nopportunities for reconnaissance and unauthorized access. For sectors like telecommunications and government—\r\nfrequent targets in Salt Typhoon campaigns—this underscores the urgent need for proactive monitoring, even\r\namong organizations that may not yet recognize themselves as potential targets.\r\nReferences\r\nStrengthening America’s Resilience Against the PRC Cyber Threats: https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats\r\nGreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon\r\nAttacks: https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-cisco-vulnerabilities-tied-to-salt-typhoon-attacks\r\nWeathering the storm: In the midst of a Typhoon: https://blog.talosintelligence.com/salt-typhoon-analysis/\r\nSuspected China-linked hack on US telecoms worst in nation’s history, senator\r\nsays: https://www.reuters.com/business/media-telecom/suspected-china-linked-hack-us-telecoms-worst-https://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 11 of 12\n\nnations-history-senator-says-2024-11-22/\r\nSweeping Chinese hack of U.S. telecoms firms is ‘still going on,’ homeland security secretary\r\nsays: https://www.nbcnews.com/politics/national-security/vast-chinese-hack-eight-us-telecoms-firms-still-going-official-says-rcna181319\r\nInfographic: A History of Network Device Threats and What Lies\r\nAhead: https://eclypsium.com/blog/infographic-a-history-of-network-device-threats-and-what-lies-ahead/\r\nSophos Firewall: Verify if the hotfix for CVE-2022-3236 is\r\napplied: https://support.sophos.com/support/s/article/KBA-000008718?language=en_US\r\nDetermine Fix for IOS XE Software Web UI: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html?\r\nKB CVE-2023-46805 (Authentication Bypass) \u0026 CVE-2024-21887 (Command Injection) for Ivanti\r\nConnect Secure and Ivanti Policy Secure Gateways: https://forums.ivanti.com/s/article/KB-CVE-2023-\r\n46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US\r\nPervasive SQL injection in DAS component: https://www.fortiguard.com/psirt/FG-IR-24-007\r\nNVD Advisory CVE-2022-3236: https://nvd.nist.gov/vuln/detail/CVE-2022-3236\r\nNVD Advisory CVE-2023-20198: https://nvd.nist.gov/vuln/detail/CVE-2023-20198\r\nNVD Advisory CVE-2023-20273: https://nvd.nist.gov/vuln/detail/cve-2023-20273\r\nNVD Advisory CVE-2023-46805: https://nvd.nist.gov/vuln/detail/CVE-2023-46805\r\nNVD Advisory CVE-2024-21887: https://nvd.nist.gov/vuln/detail/CVE-2024-21887\r\nNVD Advisory CVE-2023-48788: https://nvd.nist.gov/vuln/detail/CVE-2023-48788\r\nGame of Emperor: Unveiling Long Term Earth Estries Cyber\r\nIntrusions: https://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nRedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications\r\nProviders: https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices\r\nDecember 2024 Security Advisory Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) (Multiple\r\nCVEs): https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs?language=en_US\r\n9X Surge in Ivanti Connect Secure Scanning Activity: https://www.greynoise.io/blog/surge-ivanti-connect-secure-scanning-activity\r\nThreat Actor – Salt Typhoon: https://www.fortiguard.com/threat-actor/5557/salt-typhoon\r\nThe Censys ARC Research Team\r\nCensys ARC is a team of elite security and threat researchers dedicated to identifying, analyzing, and shedding\r\nlight on Internet phenomena that impact our world. Using Censys’ Map of the Internet — the world’s most\r\ncomprehensive, accurate, and up-to-date source for Internet infrastructure — ARC investigates and measures the\r\nentirety of the public Internet to share critical and emerging threat intelligence and insights with organizations\r\naround the world. \r\nSource: https://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nhttps://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices" ], "report_names": [ "the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434179, "ts_updated_at": 1775792068, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d365ab462127b407a36eb3696d11e2fcdf1a0508.pdf", "text": "https://archive.orkl.eu/d365ab462127b407a36eb3696d11e2fcdf1a0508.txt", "img": "https://archive.orkl.eu/d365ab462127b407a36eb3696d11e2fcdf1a0508.jpg" } }