Cybersecurity Threats: Salt Typhoon and CL-STA-0048

Govind Kumar
Govind Kumar

Co-founder/CPO

 
February 21, 2025 3 min read

Salt Typhoon Targeting Cisco Devices

China’s Salt Typhoon campaign has been actively breaching telecommunications companies, with researchers identifying attempts to compromise over 1,000 Cisco network devices globally. This includes targeting organizations in the U.S., South Africa, Italy, and Thailand. The group seems to have created a list of target devices based on their association with telecom networks. In December alone, the Insikt Group observed the hackers conducting reconnaissance on various IP addresses. Phone lines Image courtesy of The Record from Recorded Future News More than half of the Cisco devices targeted by Salt Typhoon were located in the U.S., South America, and India. The group has also aimed at devices connected to universities across several countries, likely to access sensitive research in telecommunications and technology. U.S. officials have raised alarms about Salt Typhoon, noting breaches at nine major U.S. telecommunications companies, including Verizon and T-Mobile. The hackers exploit unpatched vulnerabilities in Cisco devices, specifically targeting bugs such as CVE-2023-20198 and CVE-2023-20273. Insikt Group advised network administrators to monitor for potential exploitation, as the group has been seen scanning for vulnerable devices multiple times in December and January.

Vulnerabilities Exploited by Salt Typhoon

Salt Typhoon employs sophisticated tactics to exploit known vulnerabilities, which are crucial for gaining initial access to victim networks. The group has targeted the telecommunications sector extensively. The known CVEs exploited include CVE-2021-26855 (Microsoft Exchange) and CVE-2022-3236 (Sophos Firewall). RF map.jpg Image courtesy of Recorded Future Despite patches being available, many organizations remain vulnerable. For instance, a staggering 91% of devices impacted by ProxyLogon remain unpatched. The focus on securing Cisco devices is critical, as CISA has urged organizations to disable Cisco’s Smart Install service, which is commonly abused by attackers.

CL-STA-0048: Espionage in South Asia

The CL-STA-0048 espionage campaign has been identified as targeting high-value entities in South Asia, using advanced techniques like DNS exfiltration. This operation aimed to steal personal information from government employees and sensitive data from telecommunications organizations. The threat actors exploited vulnerabilities across various services, including IIS, Apache Tomcat, and MSSQL. They demonstrated a methodical approach by targeting public-facing servers and using rare tools for data exfiltration. Such activities underscore the necessity for organizations to prioritize patching and adhere to best practices in IT hygiene. Clock Icon

Techniques and Tools Used by CL-STA-0048

The campaign utilized the PlugX backdoor, a well-known remote access tool, to maintain persistent access. The attackers employed a method known as Hex Staging to deliver payloads in chunks, resulting in a complex infiltration process. The usage of tools like PowerShell for reconnaissance and the SQLcmd utility for data theft exemplifies the sophistication of the group. Their activities highlight the urgent need for robust cybersecurity measures to defend against such advanced persistent threats.

Enhancing Cybersecurity with GrackerAI

Organizations must remain vigilant against sophisticated threats like Salt Typhoon and CL-STA-0048. GrackerAI, an AI-powered cybersecurity marketing platform, helps organizations transform security news into strategic content opportunities. By leveraging GrackerAI, marketing teams can identify emerging trends, monitor threats, and produce content that resonates with cybersecurity professionals. For organizations looking to enhance their cybersecurity posture and marketing strategies, exploring the services offered by GrackerAI is essential. Visit GrackerAI to learn more or contact us for tailored solutions.

Govind Kumar
Govind Kumar

Co-founder/CPO

 

Product visionary and cybersecurity expert who architected GrackerAI's 40+ portal templates that generate 100K+ monthly visitors. Transforms complex security data into high-converting SEO assets that buyers actually need.

Related Articles

The Question Hub Strategy: How B2B SaaS Companies Capture AI Search Traffic

Learn how B2B SaaS companies use Question Hub strategy to capture ChatGPT, Claude & Perplexity traffic. 5-step process with real case studies & results.

By Deepak Gupta July 23, 2025 3 min read
Read full article

Google Adds Comparison Mode for Real-Time SEO Checks

Use Google’s new Search Console comparison mode for hourly SEO audits. Perfect for SaaS & cybersecurity marketers tracking real-time changes.

By Ankit Agarwal July 18, 2025 3 min read
Read full article

2025 Programmatic SEO Playbook: AI, Real-Time Data, and Market Domination

Master 2025 programmatic SEO with AI-powered content, real-time data integration, and dynamic optimization. Includes implementation guide and competitive advantages.

By Deepak Gupta July 6, 2025 10 min read
Read full article

Quality at Scale: How AI Solves Programmatic SEO's Biggest Challenge

Discover how AI transforms thin programmatic content into high-quality pages that survive Google's 2025 updates. Includes quality metrics and implementation guide.

By Deepak Gupta July 6, 2025 13 min read
Read full article