No Cisco Zero Days Used in Salt Typhon Telecom Hacks

The Chinese hackers who infiltrated U.S. telecoms to spy on top governmental and political targets likely only used one, known Cisco vulnerability, says Cisco’s threat analysis unit.

See Also: Corelight’s Brian Dye on NDR’s Role in Defeating Ransomware

Otherwise, the Chinese nation-state cyberespionage operation known as Salt Typhoon used stolen login credentials living-off-the-land techniques and a custom utility that facilitated lateral movement inside penetrated networks, said Cisco Talos in a Thursday blog post.

The cybersecurity unit said it found evidence “suggesting” that the Chinese threat group infiltrated networks exploiting CVE-2018-0171, a vulnerability in the Cisco “Smart Install” feature that’s been the subject of repeated warnings over the past half-decade.

“In all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials,” Talos asserted.

The finding appears to contradict other analysis, such as a Feb. 13 report from Recorded Future that says the threat actor penetrated at least one U.S. telecom using more recent Cisco vulnerabilities CVE-2023-20198 and CVE-2023-20273.

The Salt Typhoon campaign has starkly highlighted telecom industry weak defenses and thrust network edge devices yet again into the cybersecurity spotlight (see: State Hackers’ New Frontier: Network Edge Devices).

Biden administration officials said the hackers appeared to intercept telephone conversations for some high-level government and political figures including then-candidate President Donald Trump and his running mate, Vice President JD Vance. Hackers also observed broad swaths of metadata tied to voice and text messaging – comprising who, what, where and when – for a large group of individuals, primarily based in the metropolitan Washington, D.C. The federal government in January linked Salt Typhoon to a Chinese government contractor called Sichuan Juxinhe Network Technology located in the hacking hotbed of Sichuan.

The Thursday blog from Cisco Talos is an attempt to shift the conversation about Salt Typhoon away from the networking giant. “No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims,” the blog asserts.

It additionally advises telecoms “to follow best practices to secure network infrastructure.”

Beijing-backed group, codenamed Salt Typhoon, used a custom tool dubbed “JumbledPath” to monitor network traffic and capture sensitive data in an ongoing cyberespionage campaign in the U.S. and elsewhere. In its U.S. attacks, Salt Typhoon appears to have focused on intercepting high-level voice communications – sometimes in real time – involving government officials and political campaign leaders.

Salt Typhoon relied on a custom-built tool called JumbledPath to monitor network activity and move from one network security zone into another through packet capture. A significant part of the campaign, Talos wrote, was marked by the hackers pivoting from one compromised device to another – including in one instance from one telecom to another.

The utility disabled logging and erased existing logs, making forensic investigations challenging. Cyber defenders found the tool on Cisco Nexus devices in a virtualized environment designed to run custom Linux utility applications called Guest Shell.

The hackers additionally captured network management and authentication protocol traffic such as SNMP, TACACS and RADIUS, including secret keys. They were able to effectively bypass access control lists by reconfiguring the loopback interface of compromised devices to send traffic onward to the next router set for penetration.

Talos researchers said that during their investigation, they observed pervasive targeting of Cisco devices not patched against the Smart Install vulnerability that appeared unrelated to Salt Typhoon. They advised system administrators to patch against the flaw or decommission devices. Even a device that doesn’t carry traffic could still be used as an entry point, they warned.