The recent attacks allegedly carried out by the Chinese group Salt Typhoon on telecommunications companies and countries – among them would be Brazil – left the whole world on alert. News talk about the level of sophistication of the invasions and, what is more alarming – the criminals, theoretically, they would still be within the networks of these companies
The first information about this group emerged in 2021, when Microsoft's Threat Intelligence team released information on how China had successfully infiltrated several internet service providers, to monitor the companies – and capture data. One of the first attacks carried out by the group was from a breach in Cisco routers, that served as a gateway to monitor internet activities occurring through these devices. Once access was obtained, the hackers were able to expand their reach to additional networks. In October 2021, Kaspersky confirmed that cybercriminals had already expanded their attacks to other countries such as Vietnam, Indonesia, Thailand, Malaysia Egypt, Ethiopia and Afghanistan.
If the first vulnerabilities have been known since 2021 – why were we still attacked? The answer is, justly, in how we deal with these vulnerabilities in our daily lives
Rape method
Now, in recent days, U.S. government information confirmed a series of attacks on "companies and countries" – what would have happened due to known vulnerabilities in a VPN application, from the manufacturer Ivanti, no Fortinet Forticlient EMS, used for monitoring servers, in Sophos firewalls and also in Microsoft Exchange servers.
The Microsoft vulnerability was disclosed in 2021 when, right after, the company published the corrections. The vulnerability in Sophos firewalls was published in 2022 – and corrected in September 2023. The problems found in Forticlient became public in 2023, and corrected in March 2024 – as well as those from Ivanti, that also had their CVEs (Common Vulnerabilities and Exposures) registered in 2023. The company, meanwhile, only fixed the vulnerability last October.
All these vulnerabilities allowed criminals to easily infiltrate the attacked networks, using legitimate credentials and software, what makes the detection of these invasions almost impossible. From there, the criminals moved laterally within these networks, implanting malware, that helped in the long-term espionage work.
What is alarming about the recent attacks is that the methods used by the hackers of the Salt Typhoon group are consistent with the long-term tactics observed in previous campaigns attributed to Chinese state agents. These methods include the use of legitimate credentials to disguise malicious activities as routine operations, making it difficult to identify by conventional security systems. The focus on widely used software, like VPNs and firewalls, demonstrates an in-depth knowledge of vulnerabilities in corporate and government environments
The problem of vulnerabilities
The exploited vulnerabilities also reveal a concerning pattern: delays in the application of patches and updates. Despite the corrections provided by the manufacturers, the operational reality of many companies hinders the immediate implementation of these solutions. Compatibility tests, the need to avoid interruptions in mission-critical systems and, in some cases, the lack of awareness about the seriousness of failures contributes to the increase in the exposure window
This issue is not just technical, but also organizational and strategic, involving processes, priorities and, many times, corporate culture
A critical aspect is that many companies treat patch application as a "secondary" task compared to operational continuity. This creates the so-called downtime dilemma, where leaders need to decide between temporarily interrupting services to update systems and the potential risk of a future exploitation. However, the recent attacks show that delaying these updates can be much more expensive, both in financial and reputational terms
Furthermore, compatibility testing is a common bottleneck. Many corporate environments, especially in sectors such as telecommunications, they operate with a complex combination of legacy and modern technologies. This means that each update requires considerable effort to ensure that the patch does not cause issues in dependent systems. This type of care is understandable, but it can be mitigated by adopting practices such as more robust testing environments and automated validation processes
Another point that contributes to the delay in applying patches is the lack of awareness about the severity of the vulnerabilities. Many times, IT teams underestimate the importance of a specific CVE, mainly when it has not been widely explored so far. The problem is that the window of opportunity for attackers may open before organizations realize the severity of the issue. This is a field where threat intelligence and clear communication between technology providers and companies can make all the difference
Finally, companies need to adopt a more proactive and prioritized approach to vulnerability management, what is included in the automation of patching processes, the segmentation of networks, limiting the impact of possible invasions, the routine of regularly simulating possible attacks, what helps to find the potential "weak points".
The issue of delays in patches and updates is not just a technical challenge, but also an opportunity for organizations to transform their security approach, making it more agile, adaptable and resilient. Above all, this mode of operation is not new, and hundreds of other attacks are carried out with the samemethod of operation, starting from vulnerabilities that are used as entry points. Taking advantage of this lesson can be the difference between being a victim or being prepared for the next attack
