A recent advisory has been issued by the Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI), warning of cyber attacks launched by the China-linked Salt Typhoon actors. These attacks aim to breach major global telecommunications providers as part of a cyber espionage campaign.
In mid-February 2025, the attackers exploited a critical vulnerability in Cisco IOS XE software (CVE-2023-20198, CVSS score: 10.0) to access configuration files from three network devices registered to a Canadian telecommunications company.
Furthermore, the threat actors modified at least one of the files to configure a Generic Routing Encapsulation (GRE) tunnel, enabling them to collect traffic from the network. The name of the targeted company was not disclosed.
The agencies stated that the targeting may not be limited to the telecommunications sector and that the compromise of Canadian devices could allow the threat actors to gather information and use it as leverage to breach additional devices.
According to the alert, “In some cases, we assess that the threat actors’ activities were very likely limited to network reconnaissance.”
The agencies also highlighted that edge network devices continue to be an attractive target for Chinese state-sponsored threat actors seeking to breach and maintain persistent access to telecom service providers.
These findings are consistent with an earlier report from Recorded Future, which detailed the exploitation of CVE-2023-20198 and CVE-2023-20273 to infiltrate telecom and internet firms in the U.S., South Africa, and Italy, and leveraging the footholds to set up GRE tunnels for long-term access and data exfiltration.
U.K. NCSC Warns of SHOE RACK and UMBRELLA STAND Malware Targeting Fortinet Devices
The U.K. National Cyber Security Centre (NCSC) has revealed two different malware families, dubbed SHOE RACK and UMBRELLA STAND, which have been found targeting FortiGate 100D series firewalls made by Fortinet.
SHOE RACK is a post-exploitation tool for remote shell access and TCP tunneling through a compromised device, while UMBRELLA STAND is designed to run shell commands issued from an attacker-controlled server.
Interestingly, SHOE RACK is partly based on a publicly available tool named reverse_shell, which has also been repurposed by a China-nexus threat cluster called PurpleHaze to devise a Windows implant codenamed GoReShell. However, it is currently unclear if these activities are related.
The NCSC noted that UMBRELLA STAND shares some similarities with COATHANGER, a backdoor that was previously used by Chinese state-backed hackers in a cyber attack aimed at a Dutch armed forces network.
