Dive Brief:
-
In research published Thursday on Salt Typhoon’s hacking campaign against telecom carriers, Cisco Talos said the Chinese state-sponsored threat group had gained access to Cisco devices through compromised login credentials and that no new vulnerabilities were discovered during investigation.
-
Researchers found evidence that in one case, Salt Typhoon exploited an older Cisco vulnerability, CVE-2018-0171. However, they found no evidence that other Cisco flaws were used in the attacks.
- Cisco Talos discovered a new custom-built malware, which it calls “JumbledPath,” that allows attackers to create a chain of remote connections between targeted Cisco devices and Salt Typhoon-controlled jump hosts.
Dive Insight:
Cisco Talos warned that other organizations beyond the targeted telecom providers are at risk of Salt Typhoon attacks. The blog post detailed how the state-sponsored threat actors frequently pivoted or jumped between devices and systems using tools like JumbledPath. In one attack, Salt Typhoon pivoted from compromised device inside a telecom company, which was used merely as a “hop point,” to a targeted device in another telecom company.
“It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders,” the blog post said.
Cisco Talos’ research follows a report last week from Recorded Future’s Insikt Group, which said it uncovered additional attacks on telecom providers in December-January. In those attacks, Insikt Group researchers said Salt Typhoon exploited two known Cisco vulnerabilities, CVE-2023-20198 and CVE-2023-20273, to gain access to unpatched devices inside the networks of five telecom companies.
However, Cisco Talos said it found no evidence to confirm those findings. Researchers said they discovered a single incident in which Salt Typhoon exploited CVE-2018-0171, a vulnerability in the Smart Install (SMI) feature of Cisco IOS and Cisco IOS XE software. “In all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials,” the blog post said.
It’s unclear how Salt Typhoon obtained the Cisco credentials.
A Cisco spokesperson provided this statement to Cybersecurity Dive: “On February 20, Cisco Talos published a blog about the threat actor Salt Typhoon’s campaign, based on Cisco’s investigation while assisting law enforcement and victims of the attacks. To help customers protect themselves, the blog includes actionable recommendations and resources to detect and prevent against detected Salt Typhoon activities,” the statement said. “Our findings do not cover the entirety of the Salt Typhoon campaign or all affected infrastructure, as these go beyond the scope of Cisco’s engagement and technology. As always, we strongly advise customers to patch known vulnerabilities and follow industry best practices for securing management protocols.”
Defending Against Salt Typhoon
Cisco Talos researchers also found “additional pervasive targeting” of Cisco devices vulnerable to CVE-2018-0171 with exposed SMI. The researchers couldn’t attribute the activity to a specific threat actor but said it appears to be unrelated to Salt Typhoon.
The blog post included guidance to defend against Salt Typhoon attacks, including Cisco-specific countermeasures like disabling SMI service using “no vstack;” disabling telnet; disabling guestshell access if not required; using type 8 passwords for local account credential configuration; and always disabling underlying non-encrypted web servers for Cisco devices.
Editor’s note: This story has been updated to include comments provided by Cisco.