One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers

One of the critical security flaws exploited by China's Salt Typhoon to breach US telecom and government networks has had a patch available for nearly four years - yet despite repeated warnings from law enforcement and private-sector security firms, nearly all public-facing Microsoft Exchange Server instances with this vulnerability remain unpatched.

According to cyber-risk management firm Tenable, 91 percent of the nearly 30,000 openly reachable instances of Exchange vulnerable to CVE-2021-26855, aka ProxyLogon, have not been updated to close the hole.

Microsoft disclosed this vulnerability in March 2021, and warned it was being exploited with a chain of other bugs by Chinese government snoops to achieve remote code execution on targets' Exchange Servers. Later that year, the Five Eyes nations called ProxyLogon one of the top exploited vulnerabilities of 2021.

For comparison: Tenable's team also analyzed over 20,000 devices suffering two Ivanti vulnerabilities (CVE-2023-46805 and CVE-2024-21887) also abused by Salt Typhoon and found that more than 92 percent of these devices were fully remediated.

"Salt Typhoon is known for maintaining a stealthy presence on victim networks and remaining undetected for a significant time period," Scott Caveza, Tenable staff research engineer, said in a Thursday report.

The snoops maintain persistence via custom malware including GhostSpider, SnappyBee, and the Masol remote access trojan, he added.

This echoes an earlier report by Trend Micro that said malware spotted in Salt Typhoon campaigns includes SnappyBee, which is a modular backdoor shared among Chinese-government-linked groups, plus the Demodex rootkit to remain hidden, as well as GhostSpider, a new backdoor that can load different modules based on the attackers' specific purposes.

The 'eye' of each of these typhoons is they target unpatched and often well-known vulnerabilities for initial access

Tenable's latest analysis comes as Washington lawmakers grapple with the full extent of the Salt Typhoon intrusions, as well as those from other Chinese government gangs.

All three of these nation-state crews were topics of discussion during yesterday's US House of Representatives' Committee on Homeland Security hearing. 

During the committee meeting, expert witnesses including former government and military cybersecurity leaders told lawmakers that China is "America's most capable, and opportunistic cyber adversary" and "preparing for war on the networks of America's businesses, infrastructure, and government agencies."

Each of the Beijing-backed gangs has its own focus and targeted organizations: Salt Typhoon's cyberspies have hacked US telecommunications and government networks intent on stealing calls and data belonging to government officials and politicians.

• Trump 'waved a white flag to Chinese hackers' as Homeland Security axed cyber advisory boards
• FCC to telcos: By law you must secure your networks from foreign spies. Get on it
• China's Salt Typhoon spies spotted on US govt networks before telcos, CISA boss says
• China's cyber intrusions took a sinister turn in 2024

Volt Typhoon has targeted US critical infrastructure with the goal of maintaining persistence and preparing for destructive actions. This is the crew that keeps national security officials and threat intel analysts awake at night.

"As a military planner, I used to call this operational preparation of the battlefield," retired US Navy Rear Admiral Mark Montgomery told Congress on Wednesday.

"China's overarching goal in executing an operation like Volt Typhoon is to disrupt or degrade America's rail, port, and aviation systems, so the US cannot rapidly mobilize military forces and get military equipment, personnel, and supplies to the battlefield." 

Meanwhile, Flax Typhoon's focus has been on compromising IoT devices to build a botnet that can be used to launch future attacks.

"While each group's targets and activities are unique, the 'eye' of each of these typhoons is they target unpatched and often well-known vulnerabilities for initial access, targeting public-facing servers," Caveza wrote. "Despite the persistence of these threat actors, it's vital that organizations routinely patch public-facing devices and quickly mitigate known and exploited vulnerabilities." ®