China Crew Chews Cisco Email Gateways, Feds Furious

This is your China Hack Report: Daily US Tech Defense podcast.Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense, so let’s jack straight into the wire.The loudest alarm in the last 24 hours is still that China‑nexus crew UAT‑9686 chewing on Cisco’s email defenses. Cisco Talos revealed that these state-backed hackers have been actively exploiting zero‑day CVE‑2025‑20393 in Cisco Secure Email Gateway and Secure Email and Web Manager since late November, dropping custom AquaShell backdoors and AquaTunnel tunnels right into perimeter gear that many US agencies and enterprises treat as boring infrastructure. According to Cisco’s advisory and a roundup by The Hacker News and Help Net Security, once they land, they wipe logs and sit tight, turning your mail gateway into their personal command hub.Shadowserver’s Peter Kijewski told TechCrunch that exposure looks like “hundreds” of organizations worldwide, with dozens of affected systems already seen in the United States, plus India and Thailand. Censys scanned the internet and spotted about 220 vulnerable Cisco email gateways online, which is not doomsday scale but absolutely “high-value, high-leverage” territory for espionage against US government, defense contractors, and big tech.Here’s the spicy part: there is still no patch. Cisco is blunt: if you confirm compromise, you basically have to rebuild the appliance from scratch to kick the intruders out. CISA has already shoved CVE‑2025‑20393 into its Known Exploited Vulnerabilities catalog and ordered US federal agencies to hunt for signs of UAT‑9686 and remediate by December 24. The guidance is classic but urgent: isolate exposed Secure Email and Web Manager and Secure Email Gateway appliances, pull forensic images, comb for unauthorized admin accounts and weird processes, rotate any credentials that ever touched those boxes, and then reinstall from clean images before restoring mail flow.While that fire burns, US defenders are also juggling the China‑linked LongNosedGoblin and Ink Dragon espionage crews. ESET and Check Point report that these groups are abusing Windows Group Policy, ShadowPad, and FINALDRAFT malware to quietly target government networks in Southeast Asia, Japan, and increasingly Europe. That might sound far away, but CISA and the Office of the National Cyber Director are treating it as a playbook preview for similar operations against US agencies and defense supply chains.Layer on top of that a Washington drumbeat: Breached Company reports Senator Tom Cotton warning that China is systematically burrowing into open‑source software used in US defense systems, and Google and BleepingComputer tying more Chinese operators to large‑scale React2Shell exploitation, a vulnerability CISA already forced agencies to emergency‑patch earlier this month.Immediate homework for US tech and defense listeners: inventory any Cisco email security appliances facing the internet, follow Cisco Talos and CISA hardening guidance, assume compromise if logs look off, and tighten monitoring around identity systems and Group Policy changes. And, please, do not let “just the mail gateway” be your famous last words.Thanks for tuning in, stay patched, stay paranoid, and don’t forget to subscribe. This has been a quiet please production, for more check out quiet please dot ai.For more http://www.quietplease.aiGet the best deals https://amzn.to/3ODvOtaThis content was created in partnership and with the help of Artificial Intelligence AI

There are no comments yet.

Please log in to write the first comment.