Salt Typhoon’s GhostSPIDER Malware Exposes Critical Network Vulnerabilities

January 24, 2025 in cloud security, Secure High-Performance Datacenter Edge By Chris McHenry, SVP of Product Management

A new threat has exposed key vulnerabilities in many enterprise networks. Salt Typhoon, a state-sponsored hacking group linked to China’s Ministry of Public Security, has expanded its cyber offensive by deploying GhostSPIDER malware to infiltrate global networks. While a total of 80 firms were reported to have been infiltrated or used as stepping stones in the hack, the actual number could be much higher. According to sources familiar with the ongoing U.S. investigation, several hundred organizations, including telecoms and others, have been notified in recent months that they may be at risk of compromise. Telecoms and Internet Service Providers (ISPs) compromised in the attack include Verizon, T-Mobile, AT&T, Lumen Technologies (formerly CenturyLink), Charter Communications, Consolidated Communications, Windstream Communications, Cox Communications, and Frontier Communications.

This recent campaign reveals how attackers exploit misconfigurations, weak segmentation, and unencrypted traffic to gain persistent access to critical systems.

What You’ll Learn:

• How GhostSPIDER malware infiltrates networks
• Specific vulnerabilities exploited in this attack
• Broader implications: the systemic network vulnerabilities this attack highlights
• How Aviatrix strengthens your network’s defense with secure high-performance encryption

 

The Attack: How GhostSPIDER Works

GhostSPIDER targets edge infrastructure and network devices that bridge on-premises data centers with public cloud environments. The malware is deployed through multiple attack vectors, including:

• Exploiting Unpatched VPNs and Firewalls – Salt Typhoon actively scans for edge devices running outdated firmware or unpatched vulnerabilities, such as those found in popular VPN concentrators and next-gen firewalls.
• Leveraging Exposed Management Interfaces – Attackers exploit external-facing management ports (SSH, RDP, Telnet) that lack access controls or encryption. This provides direct entry to critical infrastructure.
• Abusing Weak or Default Credentials – GhostSPIDER brute-forces or exploits hardcoded default credentials to gain initial access to devices. Failure to rotate passwords or enforce multi-factor authentication (MFA) exacerbates this risk.
• Man-in-the-Middle (MitM) Interception – By implanting itself on routers and network gateways, GhostSPIDER intercepts and manipulates unencrypted data-in-transit, injecting malicious payloads or siphoning sensitive information.
• Privilege Escalation via Misconfigured Access Controls – Once inside, the malware exploits misconfigured Identity and Access Management (IAM) policies or excessive privileges to escalate rights, allowing lateral movement across environments.

 

Vulnerabilities exploited by GhostSPIDER include:

• CVE-2023-46805: An authentication bypass in Ivanti Connect Secure (ICS) and Policy Secure (IPS) appliances, allowing unauthorized access to restricted resources.
• CVE-2024-21887: An authentication bypass in Ivanti Connect Secure appliances, enabling attackers to execute arbitrary code by sending crafted requests.
• CVE-2023-48788: A SQL injection vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS), permitting unauthenticated attackers to execute commands on the server.
• CVE-2022-3236: A code injection vulnerability in the User Portal and Webadmin interfaces of Sophos Firewall, allowing remote code execution by unauthenticated attackers.
• CVE-2021-26855: A server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, enabling attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
• CVE-2021-26857: A remote code execution (RCE) vulnerability in the Unified Messaging service of Microsoft Exchange Server that allows attackers to execute arbitrary commands on the server by sending specially crafted serialized payloads, enabling them to establish a foothold in the network and expand their access.
• CVE-2021-27065: A post-authentication arbitrary file write vulnerability in Microsoft Exchange Server. This flaw allows attackers with authenticated access to write files to any location on the server, enabling them to implant web shells, execute malicious code, and maintain persistence within compromised systems.

 

Compromised Shared Infrastructure: A Multiplier for Risk Across Industries

Today’s cloud ecosystems heavily rely on shared telecom and ISP infrastructure. Public and hybrid cloud platforms depend on these backbones to connect their services across regions. When this infrastructure is compromised, the risks cascade far beyond the telecom/ISP sector, threatening the critical operations of all industries relying on this shared connectivity.

• Cascading Impact on Cloud Services
  • Shared telecom and ISP backbones form the foundation of modern cloud environments, facilitating seamless communication between on-premises data centers, public clouds, and edge devices. However, disruptions to these critical networks can have far-reaching consequences.
  • Example: When these critical networks experience disruptions, as seen in the CenturyLink Network Outage (2020) —where a backbone misconfiguration caused widespread service interruptions for providers like AWS and Microsoft Azure—the consequences rippled across cloud providers and their users.
• Supply Chain Vulnerabilities
  • Many organizations rely on interconnected vendors, software, and third-party services linked to telecom and ISP infrastructure. A single compromised link can propagate risks throughout the entire supply chain.
  • Example: The SolarWinds Supply Chain Attack (2020) significantly impacted cloud service providers due to their reliance on third-party software like SolarWinds Orion for network and infrastructure management. Attackers leveraged the compromised updates to infiltrate cloud environments, targeting critical infrastructure and systems, including those hosted on major platforms like Microsoft Azure. Microsoft reported that attackers accessed parts of its source code repositories, highlighting the far-reaching consequences of the breach.
• Exploitation of Connectivity Dependencies
  • Advanced persistent threat groups such as Salt Typhoon strategically target shared infrastructure to exploit vulnerabilities in cloud connectivity pathways that link data centers, cloud environments, and edge devices. In this attack, over 100,000 routers were compromised, providing attackers with extensive control points across the network. Techniques such as DNS Hijacking and BGP Manipulation can be used to redirect traffic to malicious servers, intercept sensitive credentials, or disrupt the delivery of cloud services, causing widespread impacts across industries.

 

Greater Security Risk Equals Greater Business Risk

Security threats are no longer confined to IT infrastructure; they impact the core of business operations and reputation. The risks magnified by shared, compromised infrastructure highlight the interconnected nature of modern business.

 

Security Risks: The Foundation of Business Risks

• Persistent Network Access — Attackers exploit vulnerabilities in shared infrastructure to establish long-term footholds, gathering intelligence undetected and preparing for larger attacks.
• Lateral Movement and Privilege Escalation — Shared infrastructure with flat network designs allows attackers to move laterally across interconnected environments, gaining access to sensitive systems.
• Data Interception and Exfiltration — Sensitive data transmitted over shared infrastructure like customer records or financial transactions is often intercepted and exfiltrated, causing severe downstream consequences.

Business Risks: The Impact of Vulnerabilities Across Shared Infrastructure

Shared infrastructure amplifies the business risks of telecom/ISP-based attacks by extending their reach across industries:

• Reputational Damage — A breach can directly tarnish your company’s reputation, eroding customer confidence in your ability to protect their data, leading to a long, uphill battle to regain credibility and reassure stakeholders.
• Financial Losses — Downtime resulting from a telecom/ISP-based attack directly impacts revenue generation. These losses are often compounded by expenses related to regulatory penalties, legal actions, and costly remediation measures, creating a substantial financial burden.

 

The Compliance Risk: A Hidden Danger

In addition to the direct security risks posed by attacks like GhostSPIDER, organizations face significant compliance risks. Certifications and regulatory frameworks such as ISO 27001, SOC 2, GDPR, and HIPAA emphasize the importance of protecting sensitive information during transit, often recommending encryption as a critical safeguard.

While private connectivity solutions like AWS Direct Connect and Azure ExpressRoute with MACsec encryption provide added security, traffic is decrypted at each hop. This process creates critical exposure points where attackers can potentially intercept and exfiltrate sensitive data. Controlling the infrastructure and encryption at each hop is essential to reducing these risks and minimizing reliance on third-party services that may introduce vulnerabilities.

Misrepresenting traffic as fully encrypted in transit can lead to non-compliance with regulatory standards. Such misrepresentation may result in scrutiny from regulatory entities, potentially leading to reviews, consent orders, or financial penalties. This highlights the importance of adopting encryption solutions that ensure robust security and minimize external dependencies.

 

Broader Implications: A Wake-Up Call for All Industries

While telcos and ISPs such as Verizon and AT&T are prominent targets due to their role in global connectivity, this threat extends well beyond telecommunications.

Enterprises across financial services, healthcare, manufacturing, and government sectors face similar risks as they operate hybrid cloud environments that rely heavily on edge infrastructure.

The attack exposes systemic weaknesses across organizations, including:

• Unencrypted Traffic – Sensitive data and credentials transmitted over unsecured channels can be intercepted by attackers, providing an easy entry point to critical systems.
• Flat Network Architectures – Networks lacking proper segmentation allow attackers to move laterally once inside, enabling them to access additional systems and escalate their privileges.
• Visibility Gaps – Limited monitoring and visibility into traffic within a network make it challenging to detect and respond to breaches, allowing attackers to operate undetected until significant damage is done.

 

Aviatrix: Strengthening Defenses Against Salt Typhoon-Like Attacks

Aviatrix’s Secure Datacenter Edge is designed to help mitigate vulnerabilities like those exploited by Salt Typhoon’s GhostSPIDER malware. Here’s how Aviatrix reduces these risks:

• Encrypted Dataplane – All traffic between on-prem, cloud, and edge environments is encrypted, preventing data interception even if attackers compromise the perimeter.
• High-Performance Encryption (HPE) – For performance-intensive workloads, Aviatrix delivers line-rate encryption without sacrificing speed or throughput.
• Network Segmentation – Aviatrix’s Distributed Cloud Firewall Solution uses network segmentation to embed security in the fabric of your network.
• Comprehensive Visibility – Our single-pane-of-glass solution gives you a real-time view of all cloud accounts, edge locations, gateway statuses, traffic flows, anomalies, and possible threats in your network.

 

Key Takeaways

• GhostSPIDER exploits vulnerabilities like insufficient encryption or poorly-guarded access points
• The hack exposes systemic vulnerabilities across all industries
• Consider solutions like Aviatrix’s High-Performance Encryption to protect your network