Sign up to save your podcasts
Or
Share Telecom Backdoors and Router Botnets: China's Year-Long Squat in Our Data Centers
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Telecom Backdoors and Router Botnets: China's Year-Long Squat in Our Data Centers
This is your China Hack Report: Daily US Tech Defense podcast.
Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense, so let’s jack straight into the last 24 hours.
According to SecurityAffairs, Chinese‑speaking attackers are still riding that VMware ESXi exploit chain, originally delivered via a hacked SonicWall VPN, to escape virtual machines and burrow into data centers. That toolkit may have been in the wild for over a year before disclosure, which means any US cloud, SaaS, or university lab still running unpatched ESXi is basically leaving the side door open for data theft and lateral movement across critical research and hosted government workloads.
SecurityAffairs also highlights a China‑linked espionage crew dubbed UAT‑7290, which has been quietly targeting telecom providers since at least 2022. Think about what that means for US interests: even if the primary victims are in South Asia or Southeastern Europe, telecom backbones carry US diplomatic, defense, and contractor traffic every day. Once an operator’s core is compromised, lawful intercept systems, routing configs, and subscriber metadata become a buffet for mapping US communications patterns.
Government Technology’s Dan Lohrmann points out that the FBI’s “Salt Typhoon” campaign against US telecoms, revealed last year, was “much worse and more widespread” than initially believed. Salt Typhoon is a China‑nexus operation, and the updated insight is that they weren’t just poking at edge boxes; they were systematically working on long‑term access to carrier infrastructure, the same kind of foothold UAT‑7290 seems to love.
On the vulnerability front, SecurityAffairs notes that CISA just added HPE OneView and Microsoft Office PowerPoint bugs to its Known Exploited Vulnerabilities catalog, meaning adversaries, including China‑linked groups, are actively abusing them. For US enterprises, HPE OneView sits in the heart of data center management; once that’s popped, firmware, servers, and storage can all be manipulated. Toss in weaponized PowerPoint files, and you’ve got phishing paths straight into US government contractors and critical infrastructure operators.
SecurityAffairs also reports active exploitation of a critical remote command execution flaw, CVE‑2026‑0625, in older D‑Link DSL routers. Those boxes still lurk in small utilities, local government offices, and mom‑and‑pop defense subcontractors. They’re perfect launchpads for China‑linked botnets to pivot into US operational networks or mask traffic for higher‑value intrusions.
So what are the immediate defensive moves? CISA’s KEV guidance is blunt: if a product is on that list, prioritize patching or isolation now, not “next sprint.” For today that means: upgrade or replace vulnerable HPE OneView deployments; push Office updates and block PowerPoint macros from the internet; rip and replace legacy D‑Link DSL gear where possible, or shove it behind strict firewall rules and disable remote admin completely
This content was created in partnership and with the help of Artificial Intelligence AI.
View all episodes
By Inception Point AIThis is your China Hack Report: Daily US Tech Defense podcast.
Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense, so let’s jack straight into the last 24 hours.
According to SecurityAffairs, Chinese‑speaking attackers are still riding that VMware ESXi exploit chain, originally delivered via a hacked SonicWall VPN, to escape virtual machines and burrow into data centers. That toolkit may have been in the wild for over a year before disclosure, which means any US cloud, SaaS, or university lab still running unpatched ESXi is basically leaving the side door open for data theft and lateral movement across critical research and hosted government workloads.
SecurityAffairs also highlights a China‑linked espionage crew dubbed UAT‑7290, which has been quietly targeting telecom providers since at least 2022. Think about what that means for US interests: even if the primary victims are in South Asia or Southeastern Europe, telecom backbones carry US diplomatic, defense, and contractor traffic every day. Once an operator’s core is compromised, lawful intercept systems, routing configs, and subscriber metadata become a buffet for mapping US communications patterns.
Government Technology’s Dan Lohrmann points out that the FBI’s “Salt Typhoon” campaign against US telecoms, revealed last year, was “much worse and more widespread” than initially believed. Salt Typhoon is a China‑nexus operation, and the updated insight is that they weren’t just poking at edge boxes; they were systematically working on long‑term access to carrier infrastructure, the same kind of foothold UAT‑7290 seems to love.
On the vulnerability front, SecurityAffairs notes that CISA just added HPE OneView and Microsoft Office PowerPoint bugs to its Known Exploited Vulnerabilities catalog, meaning adversaries, including China‑linked groups, are actively abusing them. For US enterprises, HPE OneView sits in the heart of data center management; once that’s popped, firmware, servers, and storage can all be manipulated. Toss in weaponized PowerPoint files, and you’ve got phishing paths straight into US government contractors and critical infrastructure operators.
SecurityAffairs also reports active exploitation of a critical remote command execution flaw, CVE‑2026‑0625, in older D‑Link DSL routers. Those boxes still lurk in small utilities, local government offices, and mom‑and‑pop defense subcontractors. They’re perfect launchpads for China‑linked botnets to pivot into US operational networks or mask traffic for higher‑value intrusions.
So what are the immediate defensive moves? CISA’s KEV guidance is blunt: if a product is on that list, prioritize patching or isolation now, not “next sprint.” For today that means: upgrade or replace vulnerable HPE OneView deployments; push Office updates and block PowerPoint macros from the internet; rip and replace legacy D‑Link DSL gear where possible, or shove it behind strict firewall rules and disable remote admin completely
This content was created in partnership and with the help of Artificial Intelligence AI.