Cisco identifies Salt Typhoon's utilization of custom malware in recent telecom assaults
In a recent development, a series of cyber-attacks, known as the Salt Typhoon campaign, have been targeting telecommunications providers worldwide, exploiting known vulnerabilities in Cisco devices to gain significant access and control.
One of the most notable vulnerabilities recently exploited is CVE-2023-20198, a critical Cisco IOS XE vulnerability with a maximum CVSS score of 10.0. This vulnerability allows attackers to create arbitrary accounts with administrative privileges, enabling them to control network devices and configure them for further malicious activities.
Once administrative access is gained, the attackers configure Generic Routing Encapsulation (GRE) tunnels, which provide persistent access to the network. This allows them to collect traffic and potentially exfiltrate sensitive data. The exploitation of such vulnerabilities poses significant risks to telecom providers, including operational disruption, espionage, and further lateral movement within the network.
In addition to CVE-2023-20198, other vulnerabilities like CVE-2023-20273 have also been exploited. Researchers from Cisco Talos discovered a Chinese state-sponsored threat group, Salt Typhoon, gaining access to Cisco devices through compromised login credentials. However, it's important to note that no new evidence has been found about Salt Typhoon exploiting CVE-2023-20198 and CVE-2023-20273, as previously stated.
To combat these attacks, Cisco Talos has discovered a custom-built malware, called "JumbledPath." This malware allows attackers to create a chain of remote connections between targeted Cisco devices and Salt Typhoon-controlled jump hosts. The blog post includes guidance to defend against Salt Typhoon attacks, including disabling SMI service, disabling telnet, disabling guestshell access, using type 8 passwords, and disabling underlying non-encrypted web servers for Cisco devices.
The blog post also includes actionable recommendations and resources to detect and prevent against Salt Typhoon activities. The statement advises customers to patch known vulnerabilities and follow industry best practices for securing management protocols. This story has been updated to include comments provided by Cisco.
It's crucial to note that Salt Typhoon attacks pose a risk to organizations beyond targeted telecom providers. The state-sponsored threat actors frequently pivot or jump between devices and systems using tools like JumbledPath. Therefore, it's essential for all organizations to be vigilant and proactive in their cybersecurity measures.
[1] Cisco Talos Blog: Salt Typhoon: A New Chinese State-Sponsored Threat Group [2] Recorded Future Insikt Group Report: Salt Typhoon: China-Linked APT Targets Telecom Providers [3] Cisco Security Advisory: CVE-2023-20198 [4] Cisco Security Advisory: CVE-2023-20273 [5] Joint Cybersecurity Advisory: Salt Typhoon: China-Linked APT Targets Telecom Providers (U.S. and Canadian Authorities)
- The Salt Typhoon campaign, a series of cyber-attacks, has been exploiting known vulnerabilities in Cisco devices to gain control, such as CVE-2023-20198, which allows the creation of arbitrary accounts with administrative privileges.
- In data-and-cloud-computing and cybersecurity news, a custom-built malware, called "JumbledPath," has been discovered, enabling attackers to create a chain of remote connections between targeted Cisco devices and Salt Typhoon-controlled jump hosts.
- General-news outlets have reported on the risks posed by Salt Typhoon attacks, not just for targeted telecom providers but also for organizations beyond them, as these state-sponsored threat actors frequently pivot between devices and systems.
- To defend against Salt Typhoon attacks, it's recommended to patch known vulnerabilities, follow industry best practices for securing management protocols, and refer to resources and actionable recommendations provided in the Cisco Talos blog, Recorded Future Insikt Group Report, and the Joint Cybersecurity Advisory on Salt Typhoon.
