A new threat report from Talos provides more information about the workings of Salt Typhoon and their campaign to penetrate telephone companies and ISPs. Despite reports of exploitation of Cisco bugs, the researchers found that only one known published vulnerability was used in a compromise. For the most part, the Chinese hackers were able to obtain valid login credentials from somewhere.
Report provides new details on Salt Typhoon tactics, custom malware
Talos is not entirely sure how Salt Typhoon is obtaining all of the credentials it is using, but has observed some of its activity as pertains to Cisco devices. One concrete detail from the report is the hacking group’s use of custom malware called “JumbledPath” to extract data from victims, which is designed for a variety of edge networking devices including Cisco Nexus switches.
Salt Typhoon also appears to be masterful at avoiding and deleting logs. That means detection is going to rely more on noticing the absence of normal logging or odd changes to configurations and files. For their own products Cisco recommends disabling its Smart Install service as well as any underlying web servers that do not require web management and telnet on any Virtual Teletype (VTY) devices.
But the absolute first order of business is to address any unpatched edge devices. The lone Cisco bug that Salt Typhoon was observed exploiting has been documented and patched for seven years now. Though these vulnerabilities may not be key to this particular hacking campaign, all types of attackers are known to scan for and target them.
Older Cisco bugs require patching, but no evidence yet of Salt Typhoon exploitation
CVE-2018-0171 is the lone Cisco bug that Talos reports seeing Salt Typhoon exploit, and apparently only successfully in just one instance. Third-party reporting had suggested the group is targeting CVE-2023-20198, CVE-2023-20273 and CVE-2024-20399 as well, but Talos says it sees no evidence of it making use of any of those successfully as of yet. The group does not appear to have discovered any new vulnerabilities in Cisco equipment.
As to how Salt Typhoon is seemingly having such great success in obtaining employee credentials, there are likely a lot of different tactics in use and these have not been fully documented as of yet. But the Talos research finds the group is targeting network device configurations as one of its tactics, looking for weak encryption standards used to protect passwords that can be taken offline for “brute force” cracking. SNMP, TACACS, and RADIUS traffic is also targeted with the intent of obtaining secret keys.
The full impact of the Salt Typhoon campaign is still being explored (and remediated), and the Talos report focuses specifically on activity involving Cisco devices. The Chinese hackers reportedly compromised devices from a number of other major manufacturers, though it remains to be seen if that was a case of exploiting known vulnerabilities or a similar focus on intercepting employee credentials.
