Cisco has confirmed that a Chinese threat actor known as Salt Typhoon gained access by likely abusing a known security flaw tracked as CVE-2018-0171, and by obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies.
“The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years,” Cisco Talos said, describing the hackers as highly sophisticated and well-funded.
“The long timeline of this campaign suggests a high degree of coordination, planning, and patience — standard hallmarks of advanced persistent threat (APT) and state-sponsored actors.”
The networking equipment major said it found no evidence that other known security bugs have been weaponized by the hacking crew, contrary to a recent report from Recorded Future that revealed exploitation attempts involving flaws tracked as CVE-2023-20198 and CVE-2023-20273 to infiltrate networks.
An important aspect of the campaign is the use of valid, stolen credentials to gain initial access, although the manner in which they are acquired is unknown at this stage. The threat actor has also been observed making efforts to get hold of credentials via network device configurations and deciphering local accounts with weak password types.
“In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers,” Talos noted. “The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use.”
Another noteworthy behavior exhibited by Salt Typhoon entails leveraging living-off-the-land (LOTL) techniques on network devices, abusing the trusted infrastructure as pivot points to jump from one telecom to another.
It’s suspected that these devices are being used as intermediate relays to reach the intended final target or as a first hop for outbound data exfiltration operations, as it offers a way for the adversary to remain undetected for extended periods of time.
Furthermore, Salt Typhoon has been spotted altering network configurations to create local accounts, enable Guest Shell access, and facilitate remote access via SSH. Also put to use is a bespoke utility named JumbledPath that allows them to execute a packet capture on a remote Cisco device through an actor-defined jump-host.
The Go-based ELF binary is also capable of clearing logs and disabling logging in an attempt to obfuscate traces of the malicious activity and make forensic analysis more difficult. This is supplemented by periodic steps undertaken to erase relevant logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable.
“The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure,” Cisco noted.
“The threat actor repeatedly modified the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to additional devices within the target environment, allowing them to effectively bypass access control lists (ACLs) in place on those devices.”
The company said it also identified “additional pervasive targeting” of Cisco devices with exposed Smart Install (SMI), followed by the exploitation of CVE-2018-0171. The activity, it pointed out, is unrelated to Salt Typhoon and does not share overlaps with any known threat actor or group.