A Chinese threat actor, known as Salt Typhoon, has gained access to major US telecommunications companies by exploiting a known security flaw, CVE-2018-0171, and using stolen login credentials. The hackers demonstrated their ability to persist in target environments for extended periods, maintaining access for over three years.
According to Cisco Talos, the threat actor is highly sophisticated and well-funded, with a high degree of coordination and planning. They use valid, stolen credentials to gain initial access, as well as network device configurations and local accounts with weak passwords. The hackers capture SNMP, TACACS, and RADIUS traffic, including secret keys used between network devices.
Salt Typhoon also leverages living-off-the-land (LOTL) techniques on network devices, using them as pivot points to jump from one telecom to another. This allows them to remain undetected for extended periods of time. The hackers alter network configurations to create local accounts, enable Guest Shell access, and facilitate remote access via SSH.
A bespoke utility called JumbledPath is used to execute a packet capture on a remote Cisco device through an actor-defined jump-host. The Go-based ELF binary clears logs and disables logging in an attempt to obfuscate malicious activity. Salt Typhoon has also identified additional pervasive targeting of Cisco devices with exposed Smart Install (SMI).
Source: https://thehackernews.com/2025/02/cisco-confirms-salt-typhoon-exploited.html