Cisco has confirmed that a sophisticated threat actor from China, known as Salt Typhoon, was able to gain unauthorized access to major U.S. telecommunications companies by exploiting a known security vulnerability, tracked as CVE-2018-0171, and by obtaining legitimate login credentials.
According to Cisco Talos, the threat actor demonstrated a high level of sophistication and funding, and was able to maintain access to target environments for extended periods, with one instance lasting over three years. The hackers were able to persist across equipment from multiple vendors, showcasing their advanced capabilities.
The campaign’s long duration suggests a high degree of coordination, planning, and patience, which are hallmarks of advanced persistent threat (APT) actors and state-sponsored groups.
Cisco found no evidence that other known security bugs were exploited by the hacking crew, contradicting a recent report from Recorded Future that revealed exploitation attempts involving flaws tracked as CVE-2023-20198 and CVE-2023-20273.
The threat actor used valid, stolen credentials to gain initial access, although the method of obtaining these credentials is currently unknown. They also attempted to capture network device configurations and decipher local accounts with weak passwords.
Additionally, the threat actor was observed capturing SNMP, TACACS, and RADIUS traffic, including secret keys used between network devices and TACACS/RADIUS servers, likely to enumerate additional credential details for future use.
Salt Typhoon also employed living-off-the-land (LOTL) techniques on network devices, using trusted infrastructure as pivot points to jump from one telecom to another.
The devices are suspected to be used as intermediate relays to reach the intended final target or as a first hop for outbound data exfiltration operations, allowing the adversary to remain undetected for extended periods.
Salt Typhoon altered network configurations to create local accounts, enable Guest Shell access, and facilitate remote access via SSH. They also used a custom utility named JumbledPath to execute packet capture on a remote Cisco device through an actor-defined jump-host.
The JumbledPath utility can clear logs and disable logging, making forensic analysis more difficult. The threat actor also periodically erases relevant logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable.
Salt Typhoon was also observed modifying the address of the loopback interface on a compromised switch and using that interface as the source of SSH connections to additional devices within the target environment, effectively bypassing access control lists (ACLs) in place on those devices.
Cisco noted that the use of JumbledPath would help obfuscate the original source and ultimate destination of the request, allowing the operator to move through potentially non-publicly-reachable devices or infrastructure.
The company identified additional pervasive targeting of Cisco devices with exposed Smart Install (SMI), followed by the exploitation of CVE-2018-0171, although this activity is unrelated to Salt Typhoon and does not share overlaps with any known threat actor or group.
