Salt Typhoon Breaches 600 Organizations Worldwide by Taking Advantage of Cisco, Ivanti, and Palo Alto Flaws

Salt Typhoon Breaches 600 Organizations Worldwide by Taking Advantage of Cisco, Ivanti, and Palo Alto Flaws

Salt Typhoon, an advanced persistent threat (APT) actor with ties to China, has persisted in attacking global networks, including those in the government, transportation, housing, telecommunications, and military infrastructure sectors.

A joint cybersecurity advisory released on Wednesday states that “these actors use compromised devices and trusted connections to pivot into other networks, even though they target the large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers.”  “These actors often modify routers to maintain persistent, long-term access to networks.”

According to the bulletin, which was provided by officials from 13 different nations, three Chinese companies — Sichuan Zhixin Ruijie Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Juxinhe Network Technology Co., Ltd.—have been connected to the harmful activity.

 

 

<FBI Announces Joint Cybersecurity Advisory Related to Salt Typhoon>

In addition to this, as per the agencies, these businesses supply China’s intelligence services with cyber-related goods and services. The data seized from the intrusions, particularly those targeting telecoms and Internet service providers (ISPs), gives Beijing the ability to locate and monitor the communications and movements of its targets around the world.

Australia, Canada, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, New Zealand, Poland, Spain, the United Kingdom, and the United States are among the nations that have co-sealed the security advisory.

The Salt Typhoon gang has been conducting a sustained espionage effort since at least 2019, according to Brett Leatherman, chief of the U.S. Federal Bureau of Investigation’s Cyber Division, with the goal of “breaching global telecommunications privacy and security norms.”

While Dutch organizations “did not receive the same degree of attention from the Salt Typhoon hackers as those in the U.S.,” the threat actors were able to access the routers of smaller ISPs and hosting providers, according to a stand-alone alert released today by Dutch intelligence and security services MIVD and AIVD.  There is no proof that the hackers were able to further infiltrate these networks, though.

“Since at least 2021, this activity has targeted organisations in critical sectors including government, telecommunications, transportation, lodging, and military infrastructure globally, with a cluster of activity observed in the U.K.,” the National Cyber Security Center stated.

The hacking team has reportedly broadened its scope of assault to include additional industries and geographical areas, targeting at least 600 firms, including 200 in the United States and 80 countries, according to The Wall Street Journal and The Washington Post.

 

 

Salt Typhoon has been seen to gain initial access by exploiting vulnerable network edge devices from Cisco (CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273), Ivanti (CVE-2023-46805 and CVE-2024-21887), and Palo Alto Networks (CVE-2024-3400). This activity overlaps with activity tracked as GhostEmperor, Operator Panda, RedMike, and UNC5807.

“The APT actors may target edge devices regardless of who owns a particular device,” the agencies stated.  “Devices owned by entities that do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest.”

 

 

After that, the compromised devices are used to break into other networks. In certain situations, they even change their settings and install a generic routing encapsulation (GRE) tunnel to gain persistent access and exfiltrate data.

Modifying Access Control Lists (ACLs) to include IP addresses under their control, opening both standard and non-standard ports, and executing commands in an on-box Linux container on compatible Cisco networking devices to stage tools, process data locally, and move laterally within the environment are all ways to achieve persistent access to target networks.

In order to facilitate lateral movement across network devices, the attackers also employ authentication protocols such as Terminal Access Controller Access Control System Plus (TACACS+). At the same time, they carry out comprehensive discovery actions and intercept network traffic that contains credentials through compromised routers in order to delve deeper into the networks.

“The APT actors collected PCAPs using native tooling on the compromised system, with the primary objective likely being to capture TACACS+ traffic over TCP port 49,” according to the authorities.  “TACACS+ traffic is used for authentication, often for administration of network equipment and including highly privileged network administrators’ accounts and credentials, likely enabling the actors to compromise additional accounts and perform lateral movement.”

Furthermore, Salt Typhoon has been seen to allow the Cisco IOS XR devices’ sshd_opens service to establish a local user and give it sudo capabilities so that it can gain root on the host OS after logging in via TCP/57722.

According to Mandiant, a company owned by Google and one of the numerous industry partners that provided input for the advice, the threat actor has a distinct edge when it comes to defensive evasion because of their experience with telecommunications networks.

“The core of Chinese cyber espionage is an ecosystem of academics, contractors, and other facilitators,” Google Threat Intelligence Group Chief Analyst John Hultquist told The Hacker News.  In addition to performing the grunt work of penetration operations, contractors are employed to create tools and lucrative exploits.  They have played a key role in these operations’ quick development and expansion to an unparalleled size.

“This actor has been reported to target transportation and hospitality in addition to telecommunications, which might be used to closely monitor people.  A comprehensive picture of who someone is speaking to, where they are, and where they are heading may be created using data from various sectors.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers

blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

Read More:

Qualys Cyber Risk Conference, Mumbai

About Author