Cisco Talos has uncovered a sophisticated cyberespionage campaign by the state-aligned “Salt Typhoon” group targeting U.S. telecommunications infrastructure since late 2024.
While credential theft remains their primary entry method, researchers confirmed exploitation of Cisco’s CVE-2018-0171 Smart Install Remote Code Execution vulnerability in at least one breach.
The attackers maintained persistent access for over three years in some networks, employing advanced living-off-the-land (LOTL) techniques across multi-vendor environments.
The campaign leverages stolen credentials and network device misconfigurations to pivot between telecom operators’ systems.
Attackers exfiltrated configurations containing weakly encrypted SNMP community strings and local account credentials, enabling lateral movement through GRE tunnels and modified loopback interfaces.
Cisco’s analysis revealed strategic use of network appliances as stealthy hop points for data exfiltration, with some intrusions targeting secondary telecoms solely to reach primary objectives.
Operational Infrastructure: JumbledPath Utility and Packet Capture Obfuscation
A custom tool named JumbledPath exemplifies Salt Typhoon’s technical sophistication. This Golang-based ELF binary creates encrypted packet capture chains through compromised Cisco Nexus devices’ Guest Shell environments.
The utility executes remote tcpdump sessions via SSH jump-hosts while systematically clearing logs.
bash /usr/bin/sshd -p 57722 # SSH daemon on high port for persistence tpacap -i eth0 -w /tmp/capture.pcap # Cisco IOS XR packet capture rm -f /var/log/auth.log /var/log/btmp # Log deletion
.webp)
The attackers combined this with configuration modifications to bypass security controls:-
- Altering TACACS+ server IP addresses to intercept authentication traffic
- Creating GRE tunnels between compromised devices for stealthy data transfer
- Injecting SSH authorized_keys entries into /etc/ shadow for backdoor access
Cisco’s forensic teams observed password decryption attacks against weak Type 4/5 hashes, emphasizing the need for Type 8 (PBKDF2-SHA-512) encryption.
Despite partial success exploiting CVE-2018-0171, most intrusions relied on unpatched legacy systems and credential mismanagement rather than zero-day vulnerabilities.
.webp)
Mitigation requires immediate patching of CVE-2018-0171 and related vulnerabilities (CVE-2023-20198, CVE-2024-20399), alongside radical hardening of TACACS+/RADIUS implementations.
Cisco stresses disabling non-essential services (Smart Install, Guest Shell) and enforcing NETCONF/RESTCONF encryption as critical safeguards against future LOTL-based attacks.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here