Government intelligence and cybersecurity agencies from 13 countries have released a joint advisory detailing the techniques used by Salt Typhoon, a Chinese state-sponsored APT group that has targeted telecommunications, government, transportation, lodging and military infrastructure networks from around the world. The agencies have linked Salt Typhoon’s activities to multiple Chinese entities, including three technology companies that provide cyber-related products and services to the People’s Liberation Army (PLA) and China’s Ministry of State Security (MSS).
“The data stolen through this activity against foreign telecommunications and internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” the agencies stated in their report.
Also known in the cybersecurity industry as Operator Panda, RedMike, UNC5807 and GhostEmperor, Salt Typhoon made headlines in late 2024 and earlier this year when authorities revealed that the group had breached major US telecommunications providers and ISP including AT&T, Verizon, T-Mobile, Lumen Technologies, Charter, Consolidated and Windstream Communications in order to spy on sensitive communications.
Access through known vulnerabilities in network edge devices
So far Salt Typhoon hasn’t been associated with the exploitation of zero-day vulnerabilities, but it has repeatedly used n-days – known vulnerabilities for which victims haven’t yet deployed patches. Flaws in network-edge devices, including network security appliances, seem to be a frequent target for the group. The joint report highlight CVE-2024-21887, a flaw in Ivanti Connect Secure and Ivanti Policy Secure; CVE-2024-3400 in Palo Alto Networks PAN-OS GlobalProtect; CVE-2023-20273 and CVE-2023-20198 in Cisco Internetworking Operating System (IOS) XE; and CVE-2018-0171 in Cisco IOS and IOS XE.
“The APT actors may target edge devices regardless of who owns a particular device. Devices owned by entities who do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest,” the report found
The group is also known to use compromised routers and virtual private servers that have not been previously associated with botnets or malicious activity as proxies by setting up tunnels. Devices are also inspected for any trusted provider-to-provider or provider-to-customer links that could be abused to jump into other networks.
One commonly used technique for maintaining persistence is to modify the Access Control Lists (ACLs) on the devices in order to add IP addresses controlled by the attackers. Opening services on non-standard ports, such as SSH, SFTP, FTP, RDP, HTTP and others was also commonly observed on compromised devices.
“Depending on the configuration of the Simple Network Management Protocol (SNMP) on the compromised network device, the APT actors enumerate and alter the configurations for other devices in the same community group, when possible,” the agencies said.
Salt Typhoon lateral movement and data collection
In order to move deeper inside networks, the attackers over leverage existing authentication protocols such as Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS). The Managed Information Base (MIB), various router interfaces, Resource Reservation Protocol (RSVP) sessions, Border Gateway Protocol (BGP) routes and software already installed on the devices are also targeted for abuse.
The attackers also search configuration files and provider-held data such as subscriber information, customer records, network diagrams, device configurations, vendor lists, passwords and more.
The native packet capture capabilities of compromised routers are routinely leveraged to capture RADIUS or TACACS+ authentication traffic with the intention of extracting credentials transmitted in insecure forms. Sometimes attackers point the router’s TACACS+ server configuration to an IP address they control to capture authentication requests.
The compromised routers, especially Cisco ones, will have various configuration changes made to them including the addition of new accounts, the leveraging of traffic monitoring on interfaces, commands over various protocols to display configuration files or to clean logs, configuring tunnels, updating routing tables, running Guest Shell containers and more.
The attackers commonly leverage existing peering connections between networks in order to exfiltrate data without raising suspicion, hiding it within the noise generated by high-traffic nodes and encapsulating it into encrypted tunnels such as GRE or IPsec.
Telecommunications providers must perform threat hunting
The report includes many indicators of compromise, TTPs, a case study with recorded Salt Typhoon activity and commands, as well as threat hunting recommendations and Yara rules that can be used for activity detection.
“The authoring agencies encourage network defenders of critical infrastructure organizations, especially telecommunications organizations, to perform threat hunting, and, when appropriate, incident response activities,” the agencies said. “If malicious activity is suspected or confirmed, organizations should consider all mandatory reporting requirements to relevant agencies and regulators under applicable laws and regulations, and any additional voluntary reporting to appropriate agencies, such as cybersecurity or law enforcement agencies who can provide incident response guidance and assistance with mitigation.”
In terms of mitigation recommendations, the first step is to patch known vulnerabilities as soon as possible, especially on network edge devices. Performing regular monitoring of configuration files and logs on routers in order to detect suspicious activity and unauthorized changes is also important.
Other general recommendations include disabling outbound connections from management interfaces, disabling unused ports and services, changing default administrative credentials, implementing public-key authentication for admins instead of password authentication and phasing out unsupported network devices with versions that still receive security patches from their manufacturers.
The report also includes more specific recommendations for hardening management protocols, implementing robust loggings and leveraging best practices for routing and virtual private networks.
No Responses