- Cisco reveals Salt Typhoon used CVE-2018-0171 to breach target networks
- It needed login credentials, first
- The attackers are highly sophisticated and well-funded, Cisco said
Chinese state-sponsored threat actor Salt Typhoon was abusing a vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software to compromise US telecoms networks, experts have confirmed.
In a new blog post, Cisco said it found evidence of Salt Typhoon abusing CVE-2018-0171, a 9.8/10 (critical) vulnerability that allows threat actors to execute arbitrary code on an affected device.
“The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years,” Cisco Talos said.
Large-scale espionage
The researchers described the threat actors as “highly sophisticated” and “well-funded”, adding, “The long timeline of this campaign suggests a high degree of coordination, planning, and patience — standard hallmarks of advanced persistent threat (APT) and state-sponsored actors.”
To be able to exploit this vulnerability, Salt Typhoon first needed valid login credentials, which it was somehow able to acquire. The researchers have their suspicions on how: “In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers,” Cisco said. “The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use.”
In late October 2024, the FBI and CISA warned about multiple major US telecom providers having been breached by Salt Typhoon.
The statement noted, “The U.S. Government is investigating the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.”
As the investigation progressed, by December 2024 the researchers found that at least eight major US telecoms were breached, including T-Mobile, Verizon, AT&T, and Lumen Technologies together with countless others around the world.
Via The Hacker News
Leave a comment