Cisco confirmed that a Chinese threat actor known as Salt Typhoon is likely to abuse a known security flaw tracked as CVE-2018-0171, targeting large US telecom companies. We have confirmed that we gained access by obtaining legitimate victim login credentials as part of our target campaign.
“Threat actors have since demonstrated their long-term sustainability in target environments across multiple vendor equipment, maintaining access for over three years,” says Cisco Talos, who has been extremely aware of the hackers. He explained that he is providing sophisticated funding.
“This campaign’s long timeline suggests high degree of coordination, planning, and perseverance. This is a standard feature of advanced persistent threats (APTs) and state-sponsored actors.”
Networking Equipment Major has hacked other known security bugs, contrary to recent recorded future reports that include attempts to exploit the defects tracked as CVE-2023-20198 and CVE-2023-20273. He said he had found no evidence of weaponization by the crew. Intrusion network.
An important aspect of the campaign is to gain initial access using valid and stolen credentials, but at this stage how it will be retrieved is unknown. It has also been observed that threat actors are getting their credentials through network device configuration and making efforts to decrypt local accounts with weak password types.
“In addition, threat actors have been observed capturing SNMP, TACAC and RADIUS traffic, including private keys used between network devices and TACACS/RADIUS servers,” Talos said. “The intent of this traffic capture is almost certainly to enumerate additional credential details for subsequent use.”
Another notable behavior that Salt Typhoon shows involves leveraging lifestyle (LOTL) techniques on network devices, and abuses trusted infrastructure to jump from one communication to another. Masu.
These devices are suspected to be used as intermediate relays to reach the intended final target, or as the first hop in an outbound data exfiltration operation.
Additionally, we found that Salt Typhoon has changed its network configuration to create local accounts, enabled guest shell access, and facilitated remote access over SSH. It also uses a custom utility called Jumble Path, which allows packet capture to be performed on remote Cisco devices via actor-defined jump hosts.
GO-based ELF binaries can also clear logs, obfuscate traces of malicious activity, and disable logs to make forensic analysis more difficult. This is complemented by regular steps made to clear relevant logs, such as .bash_history, auth.log, lastlog, wtmp, and btmp, if applicable.
“Using this utility will help obfuscate the source and final destination of the request, allowing operators to move devices or infrastructure that are not potentially breachable (or routable).” Cisco said.
“Threat actors repeatedly change the address of loopback interfaces on compromised switches, use that interface as the source of SSH connections to additional devices in the target environment, and then use them to determine the appropriate access control lists for those devices ( It will enable you to bypass the ACL effectively.
The company also identified “additional broad targeting” for Cisco devices with exposed smart installations (SMIs), followed by the use of CVE-2018-0171. It noted that its activity was unrelated to salt typhoons and did not share any overlap with known threat actors and groups.
Source link
