WRAVEN Advisory

A breakdown about a new Chinese State-Sponsored Espionage Campaign Targeting Routers (AA25-239A)

Author

WRAVEN Team
September 15, 2025

Date: September 2025
Classification: Public (TLP:CLEAR)
Sources: NSA, CISA, FBI, DC3, and 19 international partners

About WRAVEN

WRAVEN (Western Research Advisory for Vulnerabilities, Exploits & Networks) is a student-run cybersecurity research group at Western Michigan University. Our researchers and analysts track active threats, study how adversaries operate, and publish intelligence that is both accessible to the public and useful for professionals.

We aim to contribute to the broader security community by making complex government advisories digestible, highlighting what defenders should care about, and pushing fresh data into our public dashboards.

Executive Summary

A multinational advisory warns that Chinese state-sponsored actors are compromising backbone and edge routers across the globe to support a long-term espionage system. The campaign abuses known vulnerabilities, modifies router configurations for persistence, and uses built-in features to silently capture traffic and credentials.

This is not smash-and-grab ransomware. It is quiet, long-term access at the infrastructure level. Universities, mid-size organizations, and anyone with exposed edge gear should take note.

Why This Matters

  • Global coalition: The advisory is co-signed by the U.S., UK, Canada, Australia, New Zealand, EU partners, and Japan — a rare signal of scale and urgency.

  • Sectors hit: Telecom operators are primary targets, but government, transportation, lodging, military, and higher education networks are also in scope.

  • Scale: Open reporting links the campaign to at least 60 organizations in 80+ countries.

  • Ops-coded reality: Attackers don’t need zero-days. They succeed by exploiting unpatched CVEs and leaving subtle traces in configs.

Technical Breakdown

Initial Access

  • Exploiting known, internet-exposed CVEs on edge devices.

  • High-priority CVEs to patch:

    • CVE-2024-21887 — Ivanti Connect Secure command injection

    • CVE-2024-3400 — Palo Alto GlobalProtect RCE

    • CVE-2023-20198 + CVE-2023-20273 — Cisco IOS XE chain

    • CVE-2018-0171 — Cisco Smart Install RCE

Persistence & Behavior

  • ACL tampering: Whitelisting attacker IPs, often via ACLs named 20, 50, or 10.

  • Management ports: SSH on odd ports like 22x22 or xxx22; web UI listeners on 18xxx.

  • Guest Shell / containers (Cisco): Running Python scripts, capturing configs, staging files, invisible to traditional monitoring.

  • SNMP abuse: Using GET/WALK for recon, SET to change device behavior.

  • Traffic collection: SPAN, RSPAN, ERSPAN, GRE/IPsec tunnels, and static routes for covert exfiltration.

  • Defense evasion: Disabling logs, double-encoded paths in WSMA requests, on-device credential theft.

Indicators & Artifacts

The advisory provides IOCs in STIX format for ingestion.
Key observable patterns WRAVEN recommends hunting for:

  • WSMA endpoint access with double URL encoding (/%2577eb%2575i_%2577sma_Http).

  • New ACL entries permitting unfamiliar IP ranges.

  • Sudden appearance of non-standard SSH/HTTP ports.

  • Creation of unexpected local users on network devices.

  • SNMP activity using default community strings (public/private) or SET operations from odd sources.

  • Configuration changes adding SPAN/RSPAN/ERSPAN sessions.

WRAVEN Hunt Pack

Quick hunts defenders can run today:

1. Management Ports
Look for routers exposing SSH on high ports (22x22, xxx22) or web UI on 18xxx.

2. Guest Shell / IOx Abuse
Detect guestshell enable / guestshell run bash / no iox in logs. Forward container logs externally.

3. ACL & AAA Changes
Alert on ACL modifications with names 20, 50, or 10. Track new TACACS+/RADIUS hosts.

4. Traffic Mirroring & Tunneling
Hunt for new SPAN sessions, GRE/IPsec tunnels, or static route injections without tickets.

5. SNMP
Look for SNMP SET commands or weak v1/v2c use. Push all infra to SNMPv3.

Mitigation Priorities

  1. Patch edge devices immediately. Start with Ivanti, Palo Alto, and Cisco IOS XE.

  2. Restrict management access. Disable unused web UIs, enforce MFA on VPN/admin access, and ACL management planes.

  3. Centralize logs. Do not rely on router-local syslogs; forward to SIEM.

  4. Re-baseline configs. Regularly diff running configs against golden images.

  5. Coordinate eviction. Plan cutovers carefully. Partial patching tips off actors.

Guidance for Discovery

If compromise is suspected:

  • Stage 1: Recon. Quietly capture configs, ACLs, AAA settings, tunnels, and local user accounts.

  • Stage 2: Containment. Centralize logging, snapshot flows, identify all footholds.

  • Stage 3: Eviction. Patch, rotate credentials, remove tunnels and backdoors in a coordinated action.

  • Stage 4: Monitor. Alert on re-use of weak vectors or sudden config changes.

OpenCTI / Watchtower Integration

  • Import AA25-239A IOCs (STIX) directly into OpenCTI.

  • Tag entities:

    • country:CN

    • Intrusion sets: Salt Typhoon, RedMike, UNC5807

    • ATT&CK TTPs: persistence via ACLs, Guest Shell, SNMP abuse, covert tunnels

  • Link vulnerabilities to TTPs and targets.

  • Publish a Watchtower card with:

    • Top CVEs to patch

    • Observable hunt patterns

    • WRAVEN timestamped summary

Conclusion

This campaign is a reminder that routers and switches are not appliances you can “set and forget.” They are prime espionage footholds.

WRAVEN will continue to track this activity in Watchtower, publish hunt guides, and make indicators accessible for the community. If you operate exposed network infrastructure, patch today, audit configs tomorrow, and monitor continuously.

Further Reading & IOCs:

Contact WRAVEN:
Email: [email protected]
Phone: (269) 359-1036