{"id":1181,"date":"2024-12-11T06:00:00","date_gmt":"2024-12-11T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1181"},"modified":"2024-12-11T06:00:00","modified_gmt":"2024-12-11T06:00:00","slug":"salt-typhoon-poses-a-serious-supply-chain-risk-to-most-organizations","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1181","title":{"rendered":"Salt Typhoon poses a serious supply chain risk to most organizations"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

In the late spring of 2024, the US Federal Bureau of Investigation (FBI) began investigating reports of malicious activities targeting multiple US telecommunications companies. The agency determined that Chinese-affiliated actors had stolen many communications records related to several unidentified individuals during what they later realized was a persistent infiltration dating back at least two years.<\/p>\n

By late September and early October, US authorities began<\/a> publicly warning about<\/a> a threat actor that Microsoft calls Salt Typhoon (also known as Earth Estries, Ghost Emperor, Famous Sparrow, or UNC 2286) that is likely affiliated with China\u2019s Ministry of State Security, also known as APT 40. Federal authorities have continued ramping up public warnings<\/a> regarding the group.<\/p>\n

Cybersecurity experts say the Salt Typhoon intrusions pose a serious supply chain risk for the telcos\u2019 customers, who encompass a broad swath, if not all, of global public and private sector organizations. \u201cIt\u2019s a supply chain attack where they\u2019re not targeting the telcos as much as they\u2019re targeting the telcos\u2019 customers,\u201d Jon Clay, vice president of threat intelligence at Trend Micro, tells CSO. \u201cIt\u2019s a technique we call \u2018island hopping,\u2019 where they gain access to a target through a partner or a vendor or something.\u201d<\/p>\n

Not all of the details of Salt Typhoon\u2019s attacks have been released<\/h2>\n

Although the US government has offered broad, generic risk management guidance to communications and critical infrastructure providers, details defenders need are under wraps. Given that the threat actor still resides in the infected networks, authorities are loathe to provide more concrete advice lest Salt Typhoon switch things up and burrow deeper into the infrastructure.<\/p>\n

Nevertheless, experts say CISOs should try talking with their telecommunications providers about whether they\u2019ve fixed the flaws that allowed Salt Typhoon in. They should also try to cut off the group\u2019s command and control infrastructure if they spot it. Most importantly, experts say CISOs should embrace encryption throughout their networks to protect their data and voice communications from fueling future threats, including deepfake videos.<\/p>\n

The good news is that with a lot of high-powered glare bearing down on it, publicity-shy China has got to be feeling the heat. \u201cThere\u2019s definitely a hell of a lot more threat hunting going on now than there was before,\u201d Adam Isles, principal and head of the cybersecurity practice at the Chertoff Group, tells CSO.<\/p>\n

\u201cAnd so, if you\u2019re on their side of it, you\u2019ve got to be thinking to yourself, \u2018whatever access I have now is not what it was beforehand. And I have to appreciate the risk of that being time-limited.’\u201d<\/p>\n

Timeline of recent Salt Typhoon developments<\/h2>\n

The following is a timeline of the recent developments related to Salt Typhoon.<\/p>\n

Nov 21: Worst telecom tack in history.<\/strong> Senator Mark Warner, the Senate Intelligence Committee chairman, called<\/a> the Salt Typhoon campaign \u201cthe worst telecom hack in our nation\u2019s history \u2014 by far.\u201d Warner said the hackers have been able to listen to audio calls in real-time and steal call data, and they have, in some cases, moved from one telecom network to another.<\/p>\n

Dec 3<\/strong>: US government\u2019s encryption about-face<\/strong>. Although the initial concerns about Salt Typhoon centered on China hacking into federal government systems for court-authorized telecom network wiretapping requests, an FBI analysis revealed that the aims of Salt Typhoon were much broader than law enforcement and national security intercepts.<\/p>\n

According to an FBI official speaking at a CISA press briefing, the threat actors were already embedded in other parts of the telcos\u2019 systems before they pivoted to the law enforcement systems. During that call, Jeff Greene, Executive Assistant Director at CISA, said that one way to protect against voice call intercepts and data theft is to use encrypted apps, a seeming reversal for US law enforcement, which has long complained that end-to-end encrypted apps hide criminal activity.<\/p>\n

Dec<\/strong> 3<\/strong>: Guidance for engineers and sysadmins<\/strong>. NSA, CISA, the FBI, the Australian Signals Directorate, and the National Cyber Security Centres of Canada and New Zealand released communications infrastructure guidance<\/a> that provides engineers and system administrators with defensive measures to protect against intrusions.<\/p>\n

Dec 4<\/strong>: Eight US telcos infiltrated.<\/strong> During a press briefing, Anne Neuberger, the White House deputy national security adviser for cyber and emerging technology, said that Salt Typhoon has infiltrated at least eight telecom companies<\/a> in the US, which reportedly include Verizon, AT&T, and Lumen Technologies.<\/p>\n

Press reports suggest that the targeted individuals include President-elect Donald Trump, his vice-presidential pickJD Vance, US Senate Majority Leader Chuck Schumer, Vice President Kamala Harris, and State Department officials, among other leaders.<\/p>\n

Dec 4: Pentagon pressured on unencrypted phones.<\/strong> US Senators Ron Wyden and Eric Schmitt sent a letter<\/a> to the Pentagon\u2019s Inspector General urging the Department of Defense to abandon the use of unencrypted phones and platforms given the risk of serious harm from Salt Typhoon.<\/p>\n

Dec 5<\/strong>: FCC push on telcos to do better.<\/strong> Following<\/a> an emergency classified briefing of Senate leaders regarding Salt Typhoon, the US Federal Communications Commission launched<\/a> an effort to require<\/a> telecom networks to secure their networks against unlawful access and interception.<\/p>\n

Dec 6: CSRB kicks off an investigation. <\/strong>The Cyber Safety Review Board (CSRB), an arm of CISA, kicked off<\/a> an investigation into the Salt Typhoon attacks. House Committee on Homeland Security Chairman Mark E. Green vowed<\/a> to hold hearings on the CSRB\u2019s report and introduce legislation to address the nation\u2019s cybersecurity that would, among other things, create an interagency task force to address China\u2019s cybersecurity threats.<\/p>\n

Details of Salt Typhoon\u2019s activities are still scarce<\/h2>\n

Although federal agencies have been elevating their warnings about Salt Typhoon for months, details on how the group achieved its infiltration or the number of organizations affected are still scarce.<\/p>\n

The lack of specifics is due to the unfortunate fact that Salt Typhoon is still lodged in the infected telecommunications networks. \u201cWe cannot say with certainty that the adversary has been evicted because we still don\u2019t know the scope of what they\u2019re doing,\u201d CISA\u2019s Greene said during the press briefing. \u201cWe\u2019re still trying to understand that along with [industry] partners.\u201d<\/p>\n

Authorities are almost certainly withholding details to prevent Salt Typhoon from changing its tactics and finding new and more covert ways to implant its malware onto victims\u2019 networks. \u201cOnce they get on one machine, they always want to pivot,\u201d ESET malware researcher Alexandre C\u00f4t\u00e9 Cyr tells CSO.<\/p>\n

\u201cAnd since most IT teams have blind spots in their network, they don\u2019t know everything,\u201d he says. \u201cNot everything\u2019s monitored properly. My guess is it\u2019s hard to get them out because they\u2019re in many different places, and they keep spreading among those machines. If they still have a foothold somewhere and they get reports about what\u2019s being discovered as it goes on, they can always update or add new tools through those existing paths to keep evading the new detections.\u201d<\/p>\n

Salt Typhoon might be saving call recordings for future deepfakes<\/h2>\n

Like most Chinese-state-sponsored threat actors, Salt Typhoon is an espionage operation seeking to collect as much information as possible from its target organizations. Neuberger and other US officials believe the group aimed to capture<\/a> metadata and recorded telephone calls of \u201cvery senior\u201d American political figures.<\/p>\n

Although Salt Typhoon\u2019s current campaign appears targeted, officials also say<\/a> it has scooped up data on hundreds of thousands of American mobile phone users, likely stealing information on more than one million customers. Cybersecurity experts say Salt Typhoon is poised to continue collecting massive amounts of data and voice recordings from all the telcos\u2019 customers and saving the data they exfiltrate for various purposes, particularly deepfakes.<\/p>\n

\u201cWhat will they do with this data down the road?\u201d asked Trend Micro\u2019s Clay. \u201cWe\u2019ve already been discussing this internally, and it\u2019s audio fakes. Because if I get a whole bunch of conversations now, I\u2019ve got your voice, and I can utilize your voice and audio fakes in the future. So, there\u2019s a lot of concern over what can be done with this data.\u201d<\/p>\n

\u201cI think the idea that they are hoovering up lots of information is not at all out of the realm of possibility,\u201d Chertoff\u2019s Isles says. \u201cI think we can overweight that towards call content. They\u2019re going to get the audio of CEOs, et cetera.\u201d<\/p>\n

Guidance on how to strengthen visibility, harden assets
The guidance<\/a> issued by US, Canadian, Australian, and New Zealand authorities offers a series of detailed and rigorous steps for communications networks and other critical infrastructure providers to strengthen visibility and harden devices and architecture. It also provides hardening best practices for Cisco operating systems, which authorities say Salt Typhoon targeted.<\/p>\n

The nine-page alert says organizations should engage in proactive monitoring, emphasizing early detection through robust visibility and anomaly tracking; defense-in-depth, adding layers of protection through encryption, segmentation, and secure device configurations; enhanced protection focus, emphasizing patching, turning off unnecessary services, and securing protocol usage; and collaboration, encouraging organizations and manufacturers to work together for a more secure infrastructure.<\/p>\n

None of this is new guidance or necessarily specific to Salt Typhoon. It encompasses virtually all the cybersecurity risk management practices that CISA and other security organizations have long advocated organizations adopt. \u201cAll the guidance from CISA is like, \u2018Okay, do everything in cybersecurity, do zero trust,’\u201d Joe Saunders, founder and CEO of RunSafe Security, tells CSO.<\/p>\n

Memory-based vulnerabilities are at the heart of the problem<\/h2>\n

Despite the potentially overbroad advice, Saunders recommends that CISOs take the collaboration guidance to heart and press their telecom providers on how they have addressed memory-based vulnerabilities in their products.<\/p>\n

Memory-based vulnerabilities allow the attacker to take command and control of a device, introduce code to do something nefarious, or leverage existing code for unintended, equally nefarious purposes. They are a class of vulnerabilities targeted for elimination in CISA\u2019s Secure by Demand<\/a> initiative.<\/p>\n

\u201cAt the core of what Salt Typhoon is doing is leveraging memory-based vulnerabilities deep in the heart of the telecom equipment itself,\u201d Saunders says. \u201cAnd that\u2019s a very specific tactic often used by hacker groups from China. It is essential for CISOs to ask their suppliers: Have you eliminated the memory vulnerabilities completely in your equipment?\u201d<\/p>\n

Other experts are skeptical that CISOs or the federal government can make headway in pressing telcos on memory-based vulnerabilities. They say Chinese threat actors continually exploit multiple zero-day vulnerabilities in VPN, firewall, and other edge products from Ivanti, Fortinet, Sophos, Cisco, and others that telcos use in their networks.<\/p>\n

Clay says that \u201cthe FCC can come up and say \u2018Hey, you got to patch these vulnerabilities within X number of days.\u2019 But how are they going to defend against a zero-day? Because zero days can be easily done these days\u201d particularly given that Beijing now requires<\/a> any zero days discovered by security researchers to be kept secret and reported to the government only.<\/p>\n

Other experts think that only the world\u2019s most influential organizations will have standing with the telcos to query them about memory-based vulnerabilities. \u201cIf you\u2019re a Fortune 10 company, maybe you can have a conversation with Verizon,\u201d Chertoff\u2019s Isles says.<\/p>\n

Clay says that instead of focusing on memory-based vulnerabilities, if \u201cI were a CISO right now, I would certainly be looking for command-and-control infrastructure. If you can cut off the command-and-control infrastructure, it\u2019s what maintains that ability to get back into the network from outside. If I can break that, I\u2019m keeping them out of the network.\u201d<\/p>\n

Encryption is key to fighting Salt Typhoon<\/h2>\n

Experts agree that encrypting communications is crucial to thwarting Salt Typhoon\u2019s espionage efforts. \u201cWhat we have told folks internally is that encryption is your friend,\u201d CISA\u2019s Greene said during the press call. \u201cWhether it is on text messaging or if you have the capacity, voice communications, even if the adversary is able to intercept the data, if it\u2019s encrypted, it will make it really hard for them to detect it.\u201d<\/p>\n

Although end-to-end encryption (E2EE) messaging, such as Signal, is the gold standard, experts say it\u2019s unclear how well that would scale across large organizations. Moreover, they say that in most cases, E2EE isn\u2019t necessary.<\/p>\n

\u201cIn most cases, use the common encryption methods,\u201d ESET\u2019s Cyr says. \u201cYou wouldn\u2019t even need to have end-to-end encryption. It\u2019s always a plus, but you only need any kind of encryption. Everything should be secured with TLS [transport layer security] or HTTPS [hypertext transfer protocol security] because the ISP cannot decrypt that. If it\u2019s encrypted properly, the ISP just acts as a highway or a tube. So, the data passes through, and the threat actor can\u2019t listen.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In the late spring of 2024, the US Federal Bureau of Investigation (FBI) began investigating reports of malicious activities targeting multiple US telecommunications companies. The agency determined that Chinese-affiliated actors had stolen many communications records related to several unidentified individuals during what they later realized was a persistent infiltration dating back at least two years. […]<\/p>\n","protected":false},"author":0,"featured_media":1173,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1181","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1181"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1181"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1181\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1173"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}