China Hacks Cisco Email for Spy Ops as React2Shell & GPO Flaws Rage On

This is your China Hack Report: Daily US Tech Defense podcast.Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense, so let’s jack straight into what’s been lighting up dashboards in the last 24 hours.Top of the board is Cisco’s nightmare zero‑day, CVE‑2025‑20393, in Cisco Secure Email Gateway and Secure Email and Web Manager. Cisco Talos and Cisco’s own advisory say a China‑nexus APT tracked as UAT‑9686, with overlap to APT41 and UNC5174, has been hammering unpatched appliances using a bug in AsyncOS to get full system‑level code execution. TechRadar and SecurityWeek report the attackers dropping a custom Python backdoor called AquaShell, plus AquaTunnel and Chisel for reverse SSH tunneling, and AquaPurge to wipe logs, giving long‑term stealthy access to email flows and attached data.CISA has now shoved CVE‑2025‑20393 into its Known Exploited Vulnerabilities catalog and given US federal agencies a do‑or‑die: follow Cisco’s mitigations or rip vulnerable boxes out of production by December 24. Cisco’s guidance boils down to: disable Spam Quarantine exposure to the internet, lock access to management interfaces behind VPN or zero‑trust, monitor for AquaShell‑style artifacts, and harden logging so AquaPurge‑type tools don’t blind you.Zooming out, Telefonica Tech’s weekly briefing says China‑linked teams are also all over the React2Shell bug, CVE‑2025‑55182, in React Server Components. Google’s Threat Analysis Group ties multiple Chinese espionage clusters—UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595—to exploitation, using custom malware families like MINOCAT, SNOWLIGHT, COMPOOD, and updated HISONIC implants to hit cloud‑heavy environments and SaaS‑driven sectors, the same stack many US tech and SaaS providers live on.Western Illinois University’s cyber news roundup, pulling from The Hacker News, adds more China‑aligned action: the Ink Dragon group, also called Jewelbug, Earth Alux, and REF7707 by Check Point Research, is ramping government targeting with ShadowPad and FINALDRAFT malware, while a separate cluster dubbed LongNosedGoblin abuses Windows Group Policy to push espionage payloads across government domains. That’s a reminder for US state and local governments: your Active Directory and GPO hygiene is now very much a China‑facing attack surface.On the defensive‑action front for US interests, CISA in the last day has highlighted several actively exploited issues that intersect with China‑linked tradecraft: critical flaws in ASUS Live Update from a supply‑chain compromise, a high‑severity Sierra Wireless router bug, and the React2Shell internet‑scale deserialization mess. Across all of these, CISA’s playbook is clear: patch on emergency timelines, inventory exposed devices and SaaS, move high‑value management planes off the open internet, and crank up behavioral detection for webshells, tunneling tools, and suspicious GPO changes.So, for my blue‑team listeners in US tech, government, telecom, and cloud: tonight’s priorities are Cisco email gear, React2Shell in anything customer‑facing, and tight AD/GPO monitoring. If your SOC can’t say “we checked for AquaShell, AquaTunnel, and weird React2Shell traffic today,” you’re flying blind.Thanks for tuning in, and don’t forget to subscribe for your daily dose of China cyber chaos decoded. This has been a quiet please production, for more check out quiet please dot ai.For more http://www.quietplease.aiGet the best deals https://amzn.to/3ODvOtaThis content was created in partnership and with the help of Artificial Intelligence AI

There are no comments yet.

Please log in to write the first comment.