The Canadian Centre for Cyber Security (Cyber Centre) has issued a cybersecurity advisory regarding increasing activity from the People’s Republic of China, particularly from the threat actor group Salt Typhoon, targeting network edge routers in critical infrastructure sectors. These attackers are exploiting vulnerabilities in misconfigured and unpatched routers, which allow them to infiltrate networks, monitor, modify, and exfiltrate sensitive data, or move deeper into systems. Common vulnerabilities include exposed Internet services, weak configurations, poor cryptography, and unpatched software. Attackers often modify router configurations to maintain persistent access or facilitate lateral movement within the network. Additionally, they exfiltrate configuration files to gather further sensitive information or crack passwords, gaining deeper access to systems.
To mitigate these threats, the Cyber Centre recommends several best practices. Organizations should disable unnecessary and insecure services and ensure secure authentication methods, including phishing-resistant multi-factor authentication and strong, non-default passwords. It is crucial to apply security updates regularly, following manufacturer guidelines for patching devices, and ensure all devices run the latest firmware versions. Secure communication protocols, such as AES-256 and TLS v1.3, should be used, and logging traffic should be encrypted and stored off-site for better security. Lastly, establishing baselines for normal network behavior and using centralized logging systems can help detect unusual activities, ensuring quicker identification of potential security incidents. Organizations are urged to follow these recommendations to strengthen the security of their edge devices and protect their networks from evolving cyber threats. For more detailed information and guidance, please refer to the Cyber Centre advisory.