A Chinese nation-state threat group known as Salt Typhoon has gained access to US telecom networks through Cisco devices, according to a recent threat intelligence report from Cisco Talos. The attacks, which began early December and continued into January, targeted five additional telecom networks using vulnerabilities in Cisco IOS XE.
Researchers say Salt Typhoon initially gained access to Cisco devices using legitimate login credentials, although one incident involved exploiting a seven-year-old critical vulnerability (CVE-2018-0171). The group’s primary initial access point for attacks has not been identified by authorities.
Experts warn that US and global officials have advised network defenders to address the risk of Cisco device exploitation due to Salt Typhoon’s ability to maintain persistent access to telecom networks’ infrastructure using “living-off-the-land” techniques. This involved blending its activity into normal operations, jumping through trusted infrastructure, and capturing network protocol traffic to obtain additional credentials.
The group maintained access to one target environment for over three years, according to Cisco Talos. Researchers say it’s unclear how Salt Typhoon obtained valid credentials to Cisco devices but that the threat group actively attempted to acquire them through weak passwords and local accounts.
Cisco Talos confirms that its findings do not cover the entirety of Salt Typhoon’s campaign or all affected infrastructure, as these go beyond the scope of their engagement and technology. The company advises customers to patch known vulnerabilities and follow industry best practices for securing management protocols.
Source: https://cyberscoop.com/cisco-talos-salt-typhoon-initial-access