Ethical Hacking News
Cisco has confirmed that a Chinese threat actor known as Salt Typhoon gained access by likely abusing a known security flaw tracked as CVE-2018-0171, and by obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies. The threat actor demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years.
The Salt Typhoon group has been observed capturing SNMP, TACACS, and RADIUS traffic, as well as utilizing bespoke utilities to execute packet captures and clear logs. This campaign highlights the growing concern of state-sponsored hackers targeting major U.S. telecommunications networks. The use of legitimate credentials, exploiting known security flaws, and leveraging living-off-the-land techniques on network devices made them a formidable threat.
Cisco has confirmed that the Salt Typhoon threat actor has been exploiting CVE-2018-0171 to gain unauthorized access to major U.S. telecommunications networks. The group used tactics such as exploiting known security flaws, obtaining legitimate victim login credentials, and leveraging living-off-the-land (LOTL) techniques on network devices. They demonstrated persistence in environments for extended periods, with one instance lasting over three years. The threat actor used valid, stolen credentials to gain initial access and made efforts to obtain additional credential details. Cisco also identified "additional pervasive targeting" of Cisco devices with exposed Smart Install (SMI). The group's tactics demonstrate a high degree of coordination, planning, and patience, consistent with APTs and state-sponsored actors.
Cisco has recently confirmed that a sophisticated Chinese threat actor, known as Salt Typhoon, has been exploiting a known security vulnerability (CVE-2018-0171) to gain unauthorized access to major U.S. telecommunications networks. The threat actor's campaign, which began in an unspecified timeframe, demonstrates the sophistication and resourcefulness of state-sponsored hackers.
According to Cisco Talos, the threat actor used a combination of tactics, including exploiting known security flaws, obtaining legitimate victim login credentials, and leveraging living-off-the-land (LOTL) techniques on network devices. The Salt Typhoon group has also been observed capturing SNMP, TACACS, and RADIUS traffic, as well as utilizing bespoke utilities to execute packet captures and clear logs.
The exploitation of CVE-2018-0171, which was previously identified as a known security vulnerability, allowed the threat actor to gain initial access to target environments. The Salt Typhoon group then demonstrated their ability to persist in these environments across equipment from multiple vendors for extended periods, with one instance lasting over three years. This prolonged persistence is a hallmark of advanced persistent threats (APTs) and state-sponsored actors.
Furthermore, Cisco Talos noted that the Salt Typhoon group used valid, stolen credentials to gain initial access, although the manner in which they were acquired remains unknown at this stage. The threat actor also made efforts to obtain additional credential details via network device configurations and deciphering local accounts with weak password types.
In addition to these tactics, Cisco identified "additional pervasive targeting" of Cisco devices with exposed Smart Install (SMI), followed by the exploitation of CVE-2018-0171. This activity is unrelated to Salt Typhoon and does not share overlaps with any known threat actor or group.
The use of legitimate credentials and exploiting known security flaws allowed the Salt Typhoon group to maintain access in these environments for extended periods, making them a formidable threat. The group's sophisticated tactics and ability to persist in these environments make them a high-degree of coordination, planning, and patience, which is consistent with APTs and state-sponsored actors.
Cisco also identified that the Salt Typhoon group has been spotted altering network configurations to create local accounts, enable Guest Shell access, and facilitate remote access via SSH. Additionally, they used a bespoke utility named JumbledPath to execute a packet capture on a remote Cisco device through an actor-defined jump-host. This Go-based ELF binary is also capable of clearing logs and disabling logging in an attempt to obfuscate traces of the malicious activity and make forensic analysis more difficult.
The group's use of legitimate credentials, exploiting known security flaws, and leveraging living-off-the-land techniques on network devices made them a formidable threat. The Salt Typhoon group's sophisticated tactics and ability to persist in these environments make them a high-degree of coordination, planning, and patience, which is consistent with APTs and state-sponsored actors.
In conclusion, the Cisco confirmation highlights the growing concern of state-sponsored hackers targeting major U.S. telecommunications networks. The use of legitimate credentials, exploiting known security flaws, and leveraging living-off-the-land techniques on network devices made them a formidable threat. The Salt Typhoon group's sophisticated tactics and ability to persist in these environments make them a high-degree of coordination, planning, and patience, which is consistent with APTs and state-sponsored actors.
Related Information:
https://thehackernews.com/2025/02/cisco-confirms-salt-typhoon-exploited.html
https://nvd.nist.gov/vuln/detail/CVE-2018-0171
https://www.cvedetails.com/cve/CVE-2018-0171/
Published: Fri Feb 21 02:37:29 2025 by llama3.2 3B Q4_K_M
