The China-related Advanced Persistent Threat (APT) actor known as Salt Typhoon continues attacks targeting networks around the world, including organizations in the telecommunications, government, transportation, accommodation and military infrastructure sectors.
“These actors focus on major telecommunications providers’ large backbone routers, as well as provider edge (PE) and customer edge (CE) routers, but refer to other networks for compromised devices and trusted connections, according to a joint cybersecurity advisory issued Wednesday. “These actors often change routers to maintain sustained, long-term access to the network.”
The bulletin, courtesy of authorities from 13 countries, includes three Chinese companies, Sichuan Juxine Network Technology Co., Ltd., Beijing Huanyu Tianqiong Informationg Technology Co., Ltd. and Sichuan Zhixin Ruijie Network Technology Co., Ltd.
According to the agency, these companies provide Beijing with the ability to globally identify and track targeted communications and movements from data stolen from intrusions, particularly communications and internet service providers (ISPs), providing cyber-related products and services to China’s intelligence agency.
Brett Leatherman, head of the US Federal Bureau of Investigation’s cyber division, said Salt Timson has been active since at least 2019 and is engaged in permanent espionage activities aimed at “violating global communication privacy and security norms.”
In a standalone alert issued today, Dutch intelligence agencies MIVD and AIVD said domestic organizations “didn’t give the same level of attention from US salt typhoon hackers.” However, there is no evidence that hackers have further invaded these networks.
Countries that jointly sealed security advisories include Australia, Canada, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, New Zealand, Poland, Spain, the UK and the United States.
“Since at least 2021, this activity has targeted organizations in key sectors around the world, including government, communications, transportation, accommodation and military infrastructure, with clusters of activity observed in the UK,” the National Cybersecurity Centre said.
According to the Wall Street Journal and the Washington Post, the hacking crew attacked more than 600 organizations, including 200 and 80 countries in the US, expanding the target’s focus to other sectors and regions.
Salt Typhoon, which overlaps with activities tracked as Ghostemperor, Operator Panda, Redmike, and UNC5807, has been observed to gain initial access through exploitation of exposed network edge devices from Cisco (CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273), CVE-2023-46023 CVE-2024-21887), and Palo Alto Networks (CVE-2024-3400).
“APT actors can target edge devices regardless of who owns a particular device,” the agency said. “Devices owned by entities that do not match the core targets of interested parties still provide opportunities for targets of interest to use in their attack routes.”
A compromised device is utilized to pivot into other networks, and in some cases changes the device’s configuration and adds a general Routing Encapsulation (GRE) tunnel for permanent access and data removal.
Persistent access to the target network changes the Access Control List (ACLS), adds an IP address under control, opens standard, opens non-standard ports, executes commands in an on-box Linux container on a supported Cisco networking device, handles locally within the environment, and moves horizontally.
Additionally, attackers use authentication protocols such as the Terminal Access Controller Access Control System (TACACS+) to allow lateral movement across network devices, while simultaneously performing extensive discovery actions, capturing network traffic containing entitlements through compromised routers, and digging deeper into the network.
“APT officials have used native tools for the compromised system to collect PCAPs. The main purpose is to capture TACACS+ traffic on TCP port 49,” the agency said. “TACACS+ traffic is often used to manage network equipment and to authenticate with accounts and credentials of highly privileged network administrators, allowing actors to compromise additional accounts and perform lateral movements.”
In addition to that, Salt Typhoon has been observed, and the SSHD_OPERNS service on Cisco iOS XR devices creates a local user and grants IT sudo privileges to get the host OS root after logging in via TCP/57722.
Mandiant, owned by Google, one of the many industry partners that contributed to the advisory, said that familiarity with threat actor telecommunications systems offers them unique advantages and gives them an edge when it comes to defense evasion.
“The ecosystem of contractors, academics and other facilitators is at the heart of China’s cyberspy,” John Hultquist, chief analyst at the Google Threat Intelligence Group, told Hacker News. Contractors are used to build tools and valuable exploits, performing the dirty work of intrusion operations. They have contributed to the rapid evolution of these operations and are growing to an unprecedented scale. ”
“In addition to being a target for communication, we can use reporting hospitality and transport targets by this actor to closely investigate individuals. We can use information from these sectors to develop a big picture of who someone is talking to, where is they and where they are going.”
Source link
