Salt Typhoon Hackers Exploit Cisco Vulnerability to Gain Device Access on US.Telecom Networks

A highly advanced threat actor, dubbed “Salt Typhoon,” has been implicated in a series of cyberattacks targeting major U.S. telecommunications networks, according to a report by Cisco Talos.

The campaign, which began in late 2024 and was confirmed by the U.S. government, involves exploiting vulnerabilities in Cisco devices and leveraging stolen credentials to infiltrate critical infrastructure.

Exploitation of Cisco Vulnerabilities

Salt Typhoon’s operations have been characterized by their use of both legitimate credentials and known vulnerabilities in Cisco devices to gain access to core networking systems.

While the group primarily relied on stolen login credentials, one confirmed instance involved the exploitation of CVE-2018-0171, a vulnerability in Cisco’s Smart Install feature.

This flaw allows for remote code execution and has been linked to previous cyber incidents.

Additionally, there are unverified reports suggesting Salt Typhoon may have attempted to exploit other known vulnerabilities, including CVE-2023-20198, CVE-2023-20273, and CVE-2024-20399.

Despite these exploits, no new vulnerabilities were discovered during the investigation.

Cisco Talos emphasized the importance of patching systems and adhering to best practices to mitigate risks associated with these known flaws.

Techniques and Persistence

Salt Typhoon demonstrated advanced persistence techniques, maintaining access to compromised networks for extended periods up to three years in some cases.

The group employed “living-off-the-land” (LOTL) tactics, using built-in network tools to avoid detection.

Key activities included:

• Credential Harvesting: Capturing SNMP, TACACS+, and RADIUS traffic to collect sensitive authentication data.
• Configuration Exfiltration: Extracting device configurations containing weakly encrypted passwords and network details.
• Infrastructure Pivoting: Moving laterally across networks by leveraging compromised devices as hop points.
• Configuration Modifications: Altering device settings such as access control lists (ACLs), loopback interfaces, and creating unauthorized local accounts.

The attackers also utilized custom-built tools like “JumbledPath,” a utility designed for remote packet capture while obfuscating their activities through multi-hop connections.

To evade detection, Salt Typhoon frequently cleared logs (e.g., .bash_history, auth.log) and restored device configurations to their original state after completing malicious activities.

They also modified authentication servers and used high-port SSH servers for persistent access.

Cisco Talos recommends robust monitoring of syslogs, AAA logs, and network behavior for unusual activity.

Organizations are advised to implement comprehensive configuration management, enable multi-factor authentication (MFA), and disable unnecessary services like Smart Install.

While the telecommunications sector has been the primary target of this campaign, Cisco Talos warns that the techniques employed by Salt Typhoon could be applied across various industries.

The prolonged timeline of these attacks underscores the need for heightened vigilance against advanced persistent threats (APTs) capable of deep infiltration into critical infrastructure.

This ongoing investigation highlights the importance of proactive cybersecurity measures, including regular updates, strong credential management, and network segmentation.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here