The recent attacks allegedly carried out by the Chinese group Salt Typhoon to telecommunications companies and countries among them would be Brazil 'SA left the whole world on alert. News speak of the level of sophistication of the invasions and, what is more alarming 'the criminals, theoretically, would still be within the networks of these companies.
The first information about this group came in 2021, when Microsoft's Threat Intelligence team released information about how China had successfully infiltrated several internet service providers to surveil companies and capture data. One of the first attacks carried out by the group was from a breach in Cisco routers, which served as a gateway to monitor internet activities occurring through these devices. Once access was obtained, hackers were able to expand their reach to additional networks. In October 2021, Kaspersky confirmed that cybercriminals had already expanded attacks on other countries such as Vietnam, Indonesia, and Indonesia.
If the first vulnerabilities were already known since 2021 IS WHY we were still attacked? The answer lies precisely in how we deal with these vulnerabilities on a daily basis.
Violation method
Now, in recent days, government information has confirmed a series of attacks on companies and countries” - that happened from known vulnerabilities in a VPN application, the manufacturer Ivanti, Fortinet Forticlient EMS, used to monitor servers, firewalls Sophos and also Microsoft Exchange servers.
Microsoft's vulnerability was disclosed in 2021 when, shortly thereafter, the company published the fixes. The flaw in the firewalls Sophos was published in 2022 & corrected in September 2023. The problems found in Forticlient became public in 2023, and corrected in March 2024 as well as those of Ivanti, which also had their CVEs (Common Vulnerabilities and Exposures) registered in 2023. The company, however, only corrected the vulnerability last October.
All of these vulnerabilities allowed criminals to easily infiltrate the attacked networks, using legitimate credentials and software, which makes detecting these intrusions almost impossible. From there, the criminals moved laterally within these networks, deploying malware, which helped in the long-term espionage work.
What is alarming about recent attacks is that the methods used by Salt Typhoon group hackers are consistent with the long-term tactics observed in previous campaigns attributed to Chinese state agents.These methods include using legitimate credentials to mask malicious activities as routine operations, making it difficult to identify by conventional security systems.The focus on widely used software such as VPNs and firewalls demonstrates an in-depth knowledge of vulnerabilities in corporate and government environments.
The vulnerability problem
The vulnerabilities exploited also reveal a worrying pattern: delays in applying patches and updates. Despite the fixes made available by manufacturers, the operational reality of many companies makes it difficult to immediately implement these solutions.Compatibility testing, the need to avoid disruptions to mission-critical systems, and in some cases, the lack of awareness of the severity of failures contribute to the increased window of exposure.
This issue is not only technical, but also organizational and strategic, involving processes, priorities and, often, corporate culture.
A critical aspect is that many companies treat patch enforcement as a “secondary” task compared to operational continuity.This creates the so-called downtime dilemma, where leaders need to decide between momentary service disruption to upgrade systems and the potential risk of future exploitation.However, recent attacks show that delaying these updates can be much more expensive, both financially and reputationally.
In addition, compatibility testing is a common bottleneck.Many enterprise environments, especially in industries such as telecommunications, operate with a complex combination of legacy and modern technologies.This makes each update require considerable effort to ensure that the patch does not cause problems in dependent systems.This type of care is understandable, but can be mitigated by adopting practices such as more robust test environments and automated validation processes.
Another point that contributes to the delay in the application of patches is the lack of awareness about the severity of failures. Often, IT teams underestimate the importance of a specific CVE, especially when it has not been widely explored to date. The problem is that the window of opportunity for attackers can open before organizations realize the severity of the problem. This is a field where threat intelligence and clear communication between technology vendors and companies can make all the difference.
Finally, companies need to adopt a more proactive and prioritized approach to vulnerability management, which includes automating patching processes, segmenting networks, limiting the impact of possible intrusions, the routine of regularly simulating possible attacks, which helps to find potential “weak points”.
The issue of patch and update delays is not only a technical challenge, but also an opportunity for organizations to transform their security approach, making it more agile, adaptable and resilient. Above all, this mode of operation is not new, and hundreds of other attacks are carried out with it modus operandi from vulnerabilities that are used as a gateway. Leveraging this lesson can be the differential between being a victim or being prepared for the next attack.
