InfoSecBulletin Cybersecurity for mankind
Cisco Talos reported that Salt Typhoon, also known as FamousSparrow and GhostEmperor, has been spying on U.S. telecommunication providers using a custom tool called JumbledPath. Active since at least 2019, they have targeted government entities and telecom companies.
Salt Typhoon is still targeting telecommunications providers worldwide, and according to a report recently published by Recorded Future’s Insikt Group, the threat actors has breached more U.S. telecommunications providers by exploiting unpatched Cisco IOS XE network devices.
Cisco confirmed that the Chinese threat group Salt Typhoon accessed systems by exploiting a known security flaw (CVE-2018-0171) and using stolen login credentials in a targeted campaign against major U.S. telecommunications companies.
“The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years,” Cisco Talos said, describing the hackers as highly sophisticated and well-funded.
Insikt researchers reported that ongoing attacks have compromised several telecom networks, including U.S. and Italian ISPs, a U.K.-affiliated U.S. telecom, and providers in South Africa and Thailand.
“Using internet scanning data, Insikt Group identified more than 12,000 Cisco network devices with their web UIs exposed to the internet.” reads the report published by Insikt. “Although over 1,000 Cisco devices were targeted, Insikt Group assesses that this activity was likely focussed, given that this number only represents 8% of the exposed devices and that RedMike engaged in periodic reconnaissance activity, selecting devices linked to telecommunications providers.”
“Researchers found that a group named Salt Typhoon accessed major U.S. telecom companies for over three years, primarily using stolen login information.”
Cisco reports that the APT group only exploited one vulnerability, CVE-2018-0171, which affects the Smart Install feature of Cisco IOS and IOS XE Software. This flaw allows an unauthenticated remote attacker to either reboot the device or execute arbitrary code.
“No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims.” reads the report published by Cisco Talos.” Note that each of these CVEs have security fixes available. Threat actors regularly use publicly available malicious tooling to exploit these vulnerabilities, making patching of these vulnerabilities imperative.”
Cisco reported that Salt Typhoon used stolen credentials and intercepted network traffic to gather more credentials for further access. However, it remains unclear how they obtained the initial credentials.
The group extracted device configurations using TFTP/FTP, revealing weakly encrypted passwords, SNMP credentials, and network information for further investigation. The threat actors relied on machine-to-machine pivoting to perform lateral movement inside the telecom networks.
“The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom. We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target in several instances.” continues the report. “Some of these hop points were also used as a first hop for outbound data exfiltration operations. Much of this pivoting included the use of network equipment from a variety of different manufacturers.”
The attackers changed network settings, allowed command execution, adjusted access controls, and created hidden accounts.
Salt Typhoon used the JumbledPath tool to remotely capture packets via jump-hosts, clear logs, and exfiltrate encrypted data. To read full report click here.
