The recent attacks allegedly carried out by the Chinese group Salt Typhoon on telecommunications companies and countries – including Brazil – have put the entire world on alert. News reports mention the level of sophistication of the invasions and, more alarmingly, the criminals are still supposedly inside these companies' networks.
The first information about this group emerged in 2021, when Microsoft's Threat Intelligence team released information about how China had successfully infiltrated several internet service providers to monitor companies and capture data. One of the first attacks carried out by the group was through a breach in Cisco routers, which served as a gateway to monitor internet activities occurring through these devices. Once access was obtained, hackers were able to expand their reach to additional networks. In October 2021, Kaspersky confirmed that cybercriminals had already expanded their attacks to other countries such as Vietnam, Indonesia, Thailand, Malaysia, Egypt, Ethiopia, and Afghanistan.
If the initial vulnerabilities have been known since 2021 – why were we still attacked? The answer is, precisely, in how we deal with these vulnerabilities in our daily lives.
Rape method
Now, in recent days, information from the U.S. government has confirmed a series of attacks on "companies and countries"—which allegedly occurred due to known vulnerabilities in a VPN application by Ivanti, in Fortinet FortiClient EMS, used for monitoring servers, in Sophos firewalls, and also in Microsoft Exchange servers.
Microsoft's vulnerability was disclosed in 2021 when, shortly thereafter, the company released the patches. The Sophos firewall vulnerability was published in 2022 and fixed in September 2023. The issues found in Forticlient became public in 2023 and were fixed in March 2024, as well as those in Ivanti, which also had their CVEs (Common Vulnerabilities and Exposures) registered in 2023. The company, however, only fixed the vulnerability last October.
All these vulnerabilities allowed criminals to easily infiltrate the targeted networks using legitimate credentials and software, making detection of these intrusions almost impossible. From then on, the criminals moved laterally within these networks, deploying malware that aided in long-term espionage efforts.
What is alarming about the recent attacks is that the methods used by the hackers of the Salt Typhoon group are consistent with the long-term tactics observed in previous campaigns attributed to Chinese state agents. These methods include the use of legitimate credentials to mask malicious activities as routine operations, making it difficult for conventional security systems to identify them. The focus on widely used software, such as VPNs and firewalls, demonstrates an in-depth understanding of vulnerabilities in corporate and governmental environments.
The problem of vulnerabilities
The exploited vulnerabilities also reveal a concerning pattern: delays in applying patches and updates. Despite the corrections provided by manufacturers, the operational reality of many companies makes the immediate implementation of these solutions difficult. Compatibility tests, the need to avoid interruptions in mission-critical systems, and, in some cases, the lack of awareness of the severity of failures contribute to the increase in the exposure window.
This issue is not just technical, but also organizational and strategic, involving processes, priorities and, often, corporate culture.
A critical aspect is that many companies treat patch application as a "secondary" task compared to operational continuity. This creates the so-called downtime dilemma, where leaders must choose between a temporary service interruption to update systems and the potential risk of a future exploitation. However, recent attacks show that postponing these updates can be much more costly, both financially and reputationally.
Additionally, compatibility tests are a common bottleneck. Many corporate environments, especially in sectors like telecommunications, operate with a complex combination of legacy and modern technologies. This makes each update require a considerable effort to ensure that the patch does not cause problems in dependent systems. This type of care is understandable, but it can be mitigated by adopting practices such as more robust testing environments and automated validation processes.
Another factor that contributes to the delay in applying patches is the lack of awareness about the severity of the vulnerabilities. Often, IT teams underestimate the importance of a specific CVE, especially when it has not been widely exploited so far. The problem is that the window of opportunity for attackers may open before organizations realize the severity of the issue. This is a field where threat intelligence and clear communication between technology providers and companies can make all the difference.
Finally, companies need to adopt a more proactive and prioritized approach to vulnerability management, which includes automating patching processes, network segmentation to limit the impact of potential intrusions, regularly simulating possible attacks to help identify potential "weak points."
The issue of delays in patches and updates is not just a technical challenge, but also an opportunity for organizations to transform their security approach, making it more agile, adaptable, and resilient. Above all, this mode of operation is not new, and hundreds of other attacks are carried out with the same method.method of operation,based on vulnerabilities that are used as entry points. Taking advantage of this lesson can be the difference between being a victim or being prepared for the next attack.
