Ongoing Exploitation of Cisco, Ivanti, and Palo Alto Devices by PRC APTs

Published Date: September 4, 2025
Category: ShadowOpsIntel
Share:

Between 2021 and 2025, Chinese APT actors launched highly targeted attacks exploiting publicly known CVEs in Cisco, Ivanti, and Palo Alto edge devices. These operations enabled stealthy persistence, credential theft, and packet capture through tactics like SNMP abuse, SSH tunneling, and SPAN port manipulation – posing a significant threat to enterprise and service provider environments.

Severity Level: High

Threat Overview

Actors & Attribution

  • Affiliation: State-sponsored actors aligned with the People’s Liberation Army (PLA) and Ministry of State Security (MSS).
  • Entities involved: Companies such as Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong, and Sichuan Zhixin Ruijie Network Technology are reportedly supporting PRC espionage efforts.
  • Threat Group Aliases: Salt Typhoon, OPERATOR PANDA, RedMike, GhostEmperor, UNC5807.

Victimology

  • Sectors Affected: telecommunications, ISPs, government, transportation, lodging, and military infrastructure networks
  • Geographic Targeting: Global

Exploitation & Initial Access

  • Initial Access Vector: Exploitation of known, unpatched vulnerabilities in exposed edge and core devices.
  • Exploited CVEs:
    1. CVE-2024-21887: Ivanti Connect Secure and Policy Secure command injection (used post-auth bypass)
    2. CVE-2024-3400: PAN-OS GlobalProtect arbitrary file creation → RCE
    3. CVE-2023-20273 & CVE-2023-20198: Cisco IOS XE privilege escalation + authentication bypass
    4. CVE-2018-0171: Cisco Smart Install remote code execution


Persistence and Lateral Movement

The actors established long-term access using:

  • SSH access via non-standard ports (e.g., 22×22, 57722)
  • Access Control List (ACL) modifications to allow traffic from actor-controlled IPs
  • SNMP misconfiguration to hide or regain access
  • Guest Shell abuse on Cisco IOS XE/NX-OS for running custom scripts inside Linux containers
  • Creation of local admin users on compromised routers (e.g., useradd cisco with sudo rights)
  • Tunnels and mirrored traffic (SPAN/ERSPAN) configured on routers for stealthy access

Actors moved across networks by:

  • Enumerating network devices via SNMPwalk
  • Hijacking TACACS+ and RADIUS authentication to steal credentials
  • Reusing stolen credentials or brute-forcing weak passwords (e.g., “cisco”)
  • Pivoting via GRE/IPsec tunnels between interconnected providers or customers
  • Altering BGP and VRF settings to redirect traffic or gain access

Tools & Implants

  • Custom SFTP Clients (written in Golang) for exfiltration & staging: cmd1, cmd3, new2, sft
  • Embedded PCAP functionality for capturing credentials and RADIUS/TACACS+ traffic
  • STOWAWAY: Multi-hop tunneling and C2 relay tool
  • Native Commands: Use of IOS commands and Tcl scripting for router manipulation

Data Collection & Exfiltration

Targeted Data:

  • Authentication credentials via captured TACACS+/RADIUS traffic
  • Subscriber and session metadata from ISPs
  • Router configurations and command histories
  • PCAPs generated on-device using built-in monitoring tools

Exfiltration Channels:

  • GRE/IPsec/MPLS tunnels created on routers
  • Abuse of peering connections between providers
  • FTP/TFTP transfers to remote actor-controlled IPs

Case Study: On-Device PCAP Capture

In one real incident:

  • A Cisco IOS XE router was compromised.
  • The actor ran monitor capture to collect TACACS+ traffic.
  • PCAP was saved to local storage as tac.pcap.
  • The file was exfiltrated via FTP to an actor-controlled IP.
  • Credentials inside the PCAP enabled further access and lateral movement.

Recommendations

  1. Ensure Ivanti Connect Secure, Ivanti Policy Secure, PAN-OS GlobalProtect, Cisco Smart Install, Cisco IOS and IOS XE are running latest security updates.
  2. Disable all unused ports and protocols (both traffic and management protocols), disable Cisco smart install, disable Cisco Guest Shell, use only strong cryptographic algorithms
  3. Disable outbound connections from management interfaces
  4. Change all default administrative credentials and SNMP community strings
  5. Regularly review network device (especially router) logs and configurations for evidence of any unexpected, unapproved, or unusual activity, especially for changes to network tunnels, AAA configurations, ACLs, packet captures or network mirroring, and virtual containers
  6. For IOS XE, hunt for guestshell enable, guestshell run bash, and guestshell disable. On NX-OS, hunt for guestshell enable, run guestshell, and guestshell destroy. Alert on unexpected use of chvrf and, on NX-OS, use of dohost.
  7. Enable secure boot, signed image enforcement, configuration checkpoints
  8. Hunt for actor-favored protocol patterns:
    • SSH on high non-default ports (22×22/xxx22) from non-admin source IPs;
    • HTTPS/Web UI listeners on non-default high ports (18xxx)
    • TCP/57722 (IOS XR sshd_operns) reachability or flows;
    • TACACS+ (TCP/49) flows to non-approved IPs
    • FTP/TFTP flows originating from network devices to unapproved destinations
  9. Block the IOCs at their respective controls https://www.virustotal.com/gui/collection/0e77bb57c6abea97f31656b2638495691a3988b22af316e33c3ac3bac5cc8804/iocs

Source:

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.