A Chinese threat actor known as Salt Typhoon gained entry through a known security flaw known as , as well as by obtaining reasonable victim login credentials as part of a targeted campaign aimed at main U.S. telecommunications companies, according to Cisco.
The threat actor therefore demonstrated their ability to remain in target environments for an extended period of time, maintaining access to one instance for more than three years, according to Cisco Talos, who described the hackers as highly advanced and well-funded.
” The long timeline of this campaign suggests a high degree of coordination, planning, and patience — standard hallmarks of advanced persistent threat ( APT ) and state-sponsored actors”.
The network equipment big claimed that, contrary to a recent report from Recorded Coming that network exploitation efforts involving flaws tracked as CVE-2023-20198 and CVE-2023-202033, it found no evidence that another well-known security flaws had been used by the malware team.
The campaign’s use of legitimate, stolen credentials to obtain preliminary exposure is a crucial component, though it is not known at this time. The danger actor has also been reported attempting to crack credentials by using network device configurations and deciphering native accounts using weak password types.
” In addition, we have observed the danger professional capturing SNMP, TACACS, and RADIUS customers, including the secret codes used between networking devices and TACACS/RADIUS servers”, Talos noted. The purpose of this traffic capture is almost certainly to include additional credential information for future use.
Utilizing living-off-the-land ( LOTL ) techniques on network devices as jumping points between different telecoms is another notable behavior exhibited by Salt Typhoon.
Because they offer a way for the adversary to remain undetected for a long period of time, it’s suspected that these devices are being used as intermediate relays to get to the intended final target or as a first hop for outbound data exfiltration operations.
Furthermore, Salt Typhoon has been spotted altering network configurations to create local accounts, enable Guest Shell access, and facilitate remote access via SSH. A unique utility called JumbledPath, which enables them to use an actor-defined jump-host to execute a packet capture on a distant Cisco device, is also used.
In an effort to conceal the traces of the malicious activity and make forensic analysis more challenging, the Go-based ELF binary is also capable of clearing logs and turning off logging. This is supplemented by periodic steps undertaken to erase relevant logs, including.bash_history, auth. log, lastlog, wtmp, and btmp, where applicable.
” The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable ( or routable ) devices or infrastructure”, Cisco noted.
The threat actor “persisted in modifying the address of the loopback interface on a compromised switch and using that address to make SSH connections to additional devices within the target environment, effectively avoiding access control lists (ACLs ) in place on those devices.”
The company said it also identified “additional pervasive targeting” of Cisco devices with exposed Smart Install ( SMI ), followed by the exploitation of CVE-2018-0171. It noted that the activity has no connection to Salt Typhoon and does not have any known threat actors or organizations in common.