The Persistent Threat of Salt Typhoon: Tracking Exposures of Potentially Targeted Devices

April 28, 2025, 8:52 a.m.

Description

Salt Typhoon, a Chinese state-sponsored threat actor, has been targeting major telecommunications providers worldwide by exploiting vulnerabilities in network devices. This analysis tracks global exposures of internet-facing devices associated with Salt Typhoon activity over six months, including Sophos Firewalls, Cisco IOS XE WebUIs, Ivanti Connect Secure, and Fortinet FortiClient EMS systems. Overall combined exposure decreased by 25%, with Sophos Firewall interfaces showing the largest reduction. Cisco IOS XE was the only platform with increased exposure. Geographically, most exposures remain concentrated in the United States, except for Sophos XG Firewall exposures in Germany. The persistence of exposed devices raises questions about remediation efforts and organizational responses to these threats.

External References

https://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices
https://otx.alienvault.com/pulse/680c3c41a960b91fa23ec72d
Tags
network devices
CVE-2024-21887
CVE-2023-46805
shadowpad
telecommunications
vulnerability exploitation
CVE-2023-48788
CVE-2022-3236
masol rat
ivanti connect secure
2025-04-26
chinese state-sponsored
CVE-2023-20198
sophos firewall
CVE-2023-20273
cisco ios xe
exposure tracking
fortinet forticlient ems

Date

  • Created: April 26, 2025, 1:52 a.m.
  • Published: April 26, 2025, 1:52 a.m.
  • Modified: April 28, 2025, 8:52 a.m.

Attack Patterns

  • MASOL RAT
  • POISONPLUG.SHADOW
  • ShadowPad - S0596
  • Salt Typhoon

Additional Informations

  • Telecommunications
  • Government
  • Germany
  • United States of America