Source: www.securityweek.com – Author: Ryan Naraine
Researchers in Cisco’s threat intelligence unit say the Chinese state-sponsored hacking group Salt Typhoon successfully broke into US telco networks via old, unpatched vulnerabilities, stolen login credentials and basic ‘living-off-the-land’ (LOTL) tactics.
A fresh report from the Cisco Talos Intelligence Group provides official confirmation that in at least one incident Salt Typhoon exploited CVE-2018-0171, a remote code execution vulnerability in Cisco’s Smart Install feature. This flaw was patched in 2018, but unpatched legacy systems remain at risk.
While there have been reports of Salt Typhoon abusing other Cisco vulnerabilities, the Talos researchers say they have not yet found evidence confirming additional exploit activity.
“No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims,” the company declared.
Still, the company is calling urgent attention to patches for multiple known security flaws reportedly exploited by Salt Typhoon:
- CVE-2018-0171 — Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability (Last Updated: 15-Dec-2022)
- CVE-2023-20198, CVE-2023-20273 — Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature (Last Updated: 1-Nov-2023)
- CVE-2024-20399 – Cisco NX-OS Software CLI Command Injection Vulnerability (Last Updated: 17-Sep-2024)
Salt Typhoon has compromised core network infrastructure across multiple telecom firms, using a mix of credential theft, LOTL tactics, and infrastructure pivoting to evade detection.
The new Cisco Talos documentation makes it clear that Salt Typhoon hackers primarily gained access to networking equipment using valid login credentials.
While the exact method of obtaining these credentials remains unclear, the attackers were seen capturing network traffic to steal SNMP, TACACS, and RADIUS credentials.
“In numerous instances, the threat actor exfiltrated device configurations, often over TFTP and/or FTP. These configurations often contained sensitive authentication material, such as SNMP Read/Write (R/W) community strings and local accounts with weak password encryption types in use. The weak encryption password type would allow an attacker to trivially decrypt the password itself offline,” Cisco Talos explained.
Advertisement. Scroll to continue reading.
The research team also noted the extensive use of LOTL techniques, piggybacking on built-in networking features rather than deploying traditional malware. The attackers modified router configurations, altered authentication settings, and used guest shell environments on Cisco Nexus devices to execute commands stealthily.
In multiple instances, the Cisco Talos team observed the hackers pivoting between compromised telecom networks, using one company’s infrastructure as a jumping point to attack another.
“A significant part of this campaign is marked by the actor’s continued movement, or pivoting, through compromised infrastructure,” the research team explained. “This ‘machine to machine’ pivoting, or ‘jumping’ allows the threat actor to move within a trusted infrastructure set where network communications might not otherwise be permitted.”
“Additionally, connections from this type of infrastructure are less likely to be flagged as suspicious by network defenders, allowing the threat actor to remain undetected,” the team added.
“The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom,” Cisco Talos noted.
It added, “We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target in several instances. Some of these hop points were also used as a first hop for outbound data exfiltration operations. Much of this pivoting included the use of network equipment from a variety of different manufacturers.”
While Salt Typhoon exploited vulnerabilities in Cisco devices, there is no evidence to suggest that Cisco’s own corporate infrastructure was compromised, the researchers said, stressing that the attacks were directed at devices operated by the targeted telecommunications companies.
Related: Salt Typhoon Targeting Old Cisco Flaws in Fresh Telecom Hacks
Related: US Gov: Limit Phone Use After China ‘Salt Typhoon’ Hack
Related: China’s Salt Typhoon Hacked AT&T, Verizon
Related: Cisco Warns of Many Old Vulnerabilities Being Exploited in Attacks
Related: US Details Chinese Attacks Against Telecoms Providers
Original Post URL: https://www.securityweek.com/cisco-details-salt-typhoon-network-hopping-credential-theft-tactics/
Category & Tags: Nation-State,Vulnerabilities,China,Cisco,Cisco Talos,CVE-2018-0171,Salt Typhoon – Nation-State,Vulnerabilities,China,Cisco,Cisco Talos,CVE-2018-0171,Salt Typhoon
Views: 2
