Volt Typhoon Strikes Again: Chinas Cyber Commandos Exploit Cisco Zero-Day, Wreak Havoc on US Infrastructure

This is your Red Alert: China's Daily Cyber Moves podcast.

I’m Ting, your favorite cyber-wizard with an extra scoop of China expertise, and I promise you this: buckle up, because today's cyber news is hotter than a Szechuan hotpot at DEF CON.

Right off, here’s the juice—early this morning, CISA pumped out a nationwide emergency alert to all federal agencies, warning of active Chinese state-backed offensives hammering U.S. energy and transportation infrastructure. The name pinging everywhere? Volt Typhoon. Sound familiar? It should, because these folks have practically claimed squatters’ rights in American critical systems since 2024, but things just escalated. The latest CISA advisory warns that Volt Typhoon is now exploiting a newly discovered RADIUS code execution flaw in Cisco’s Secure Firewall Management Center, CVE-2025-20265, which, get this, is a perfect 10 on the severity scale. According to Cisco and researchers at Western Illinois University, this means unauthenticated attackers can just walk in and make your firewall do whatever they want—a cyber gatecrasher's dream.

Timeline check: just after 3 a.m. Eastern, monitoring at multiple utilities flagged mystery RADIUS logins from Chinese source IPs. By 5 a.m., network traffic was rerouting through attacker-controlled GRE tunnels, letting Volt Typhoon siphon off configuration data and NetFlow to exfil points overseas. Simultaneously, in the pre-dawn Dallas heat, at least one rail operations center went into fire drill mode as ICS protocols tripped. The techs at CISA were pulling overtime by sunrise, issuing emergency directives to kill Smart Install features on Cisco network gear—yup, the same path exploited by Salt Typhoon, another China-aligned actor, late last year. A virtual relay race of intrusion: one flaw, multiple adversaries, everyone sprinting for access.

You want attack patterns? Here’s what’s hot: hands-on, living-off-the-land, no flashy malware—these teams are using compromised remote admin tools, custom open-source mods, and NetFlow exfil to look as mundane as your IT guy changing the toner. They’re even embedding instructions in fake AI CAPTCHAs; Guardio Labs calls it the PromptFix exploit—a generative AI-era spin on old-school clickjacking, only now with machine learning gullibility thrown in.

Let’s get tactical. CISA’s emergency playbook says: patch every Cisco system immediately, kill Smart Install if you’re running anything older than lunch, review all remote admin access, and, if you run industrial control or OT, hunt for odd GRE tunnels and surprise RADIUS logins. The FBI and CISA are screaming: “assume breach until proven otherwise.” If you see anything off, escalate, don’t hesitate.

What’s next if this escalates? If Volt Typhoon pivots from espionage to disruption, expect staged outages or even ransomware masking data-wipe attacks. Emergency comms, transport, and energy could feel it first—think Colonial Pipeline, but with more polish and deeper persistence. The White House isn’t blinking: National Security Memorandum mandates real-time sector threat sharing, but everyone—private or public—should treat mitigation as DEFCON 2. And don’t think this will stay just a “China vs. US” thing. Collateral targets: Taiwan already reported a surge of manipulations across web hosts yesterday by APTs tracing back to mainland China.

So, listeners, reality check—with China’s offensive toolkit multiplying by the day and AI now in the mix, cyber defense absolutely has to be everyone’s game, not just Uncle Sam’s. Thanks for tuning in. Don’t forget to subscribe for more jolt-to-the-system intel. This has been a quiet please production, for more check out quiet please dot ai.

For more http://www.quietplease.ai


Get the best deals https://amzn.to/3ODvOta