How Did Salt Typhoon Hackers Target Telecoms Using Cisco Devices?

Article Highlights
Off On

In a rapidly evolving digital landscape, cybersecurity remains at the forefront of concerns for businesses and governments alike. A recent report by Cisco Talos shed light on the sophisticated tactics employed by Salt Typhoon, a China-backed hacking group targeting telecommunications providers. This group successfully infiltrated telecom systems by leveraging compromised credentials on Cisco devices, managing to gain unauthorized access without exploiting any new vulnerabilities. However, their strategy did include at least one older vulnerability, identified as CVE-2018-0171, which they utilized to further their attacks. The investigation exposed the nuanced approach the hackers took and stressed the broad implications of their campaign.

Discovering Salt Typhoon’s Arsenal: JumbledPath Malware

One of the pivotal findings in the Cisco Talos investigation was the identification of a new, custom-built malware named “JumbledPath.” This clever piece of software enabled the hackers to create a chain of remote connections between the breached Cisco devices and attacker-controlled jump hosts. By leveraging these connections, Salt Typhoon could pivot through various networks, ultimately penetrating systems far beyond their original targets. The term “jump host” refers to a computer used to manage devices on separate security zones, acting as an intermediary. This method made detection considerably challenging and posed a significant threat.

By deploying JumbledPath, the hackers demonstrated their ability to maintain a multifaceted control map, which was integral to executing their attacks effectively. The chain of connections permitted them to obscure their trail, often leading cybersecurity efforts in the wrong direction. Telecommunication companies, which rely on seamless, secure networks, found themselves particularly vulnerable. The attackers’ proficiency in evading detection and their direct targeting of crucial networks underscored the gravity of the cybersecurity threat posed by the group.

Assessing the Wider Risk and Practical Countermeasures

The far-reaching implications of Salt Typhoon’s actions went beyond individual telecom providers. Cisco’s findings highlighted the risk faced by other organizations that might be leveraged as hop points, allowing attackers to infiltrate subsequent targets. The complexity of these attacks meant that defensive measures had to be equally sophisticated. Following the exploitation of a known vulnerability, CVE-2018-0171, the incident served as a sobering reminder of the importance of regular patching and stringent security protocols.

Cisco’s response included practical countermeasures to mitigate the threat posed by the hacker group. Among these are the disabling of specific services identified as vulnerable, bolstering password security through enhanced protocols, and revisiting overall network security measures. Effective defensive actions also emphasized the importance of monitoring network activity for unusual patterns, which could indicate an ongoing or impending attack. The focus was not merely on reactive steps but a proactive enhancement of security infrastructure to prevent such sophisticated intrusions.

Recorded Future’s Insikt Group Report and Cisco’s Clarification

Parallel to Cisco’s report, Recorded Future’s Insikt Group had earlier detailed attacks exploiting vulnerabilities CVE-2023-20198 and CVE-2023-20273. However, Cisco Talos stated they found no evidence to support the exact exploitation of these particular vulnerabilities in their investigation. The seeming inconsistency between these reports highlighted the complexities of cybersecurity analysis, where multiple perspectives and findings contribute to a more comprehensive understanding. This clarification directed the industry’s attention to the misuse of legitimate credentials as the more pressing initial access vector in Salt Typhoon’s campaign.

This divergence in findings also illustrated the dynamic nature of threat intelligence work, where continuous information sharing and reassessment are crucial. By concentrating on the aspect of compromised credentials, Cisco’s analysis shifted the focus to a critical vulnerability that could be more universally addressed through policy changes and security practices. This approach showed the importance of validating and cross-referencing threat intelligence to develop more accurate defense strategies against evolving cyber threats.

The Urgent Call for Heightened Security Measures

In today’s fast-changing digital world, cybersecurity remains a top priority for both businesses and governments. A recent report by Cisco Talos uncovered the sophisticated methods used by Salt Typhoon, a hacking group supported by China, which has been specifically targeting telecommunications providers. This group managed to infiltrate telecom systems by using compromised credentials on Cisco devices, achieving unauthorized access without exploiting any new vulnerabilities. Nevertheless, their tactics included exploiting an older vulnerability, identified as CVE-2018-0171, which facilitated the advancement of their attacks. The detailed investigation highlighted the intricate strategies employed by the hackers and emphasized the wide-ranging implications of their campaign. It underscores the necessity for organizations to remain vigilant and continuously update their security measures to protect sensitive information from such persistent threats.

Explore more