A extremely superior risk actor, dubbed “Salt Storm,” has been implicated in a sequence of cyberattacks concentrating on main U.S. telecommunications networks, based on a report by Cisco Talos.
The marketing campaign, which started in late 2024 and was confirmed by the U.S. authorities, includes exploiting vulnerabilities in Cisco gadgets and leveraging stolen credentials to infiltrate vital infrastructure.
Exploitation of Cisco Vulnerabilities
Salt Storm’s operations have been characterised by their use of each reputable credentials and identified vulnerabilities in Cisco gadgets to achieve entry to core networking programs.
Whereas the group primarily relied on stolen login credentials, one confirmed occasion concerned the exploitation of CVE-2018-0171, a vulnerability in Cisco’s Sensible Set up characteristic.
This flaw permits for distant code execution and has been linked to earlier cyber incidents.
Moreover, there are unverified experiences suggesting Salt Storm might have tried to take advantage of different identified vulnerabilities, together with CVE-2023-20198, CVE-2023-20273, and CVE-2024-20399.
Regardless of these exploits, no new vulnerabilities have been found throughout the investigation.
Cisco Talos emphasised the significance of patching programs and adhering to greatest practices to mitigate dangers related to these identified flaws.
Methods and Persistence
Salt Storm demonstrated superior persistence methods, sustaining entry to compromised networks for prolonged durations as much as three years in some circumstances.
The group employed “living-off-the-land” (LOTL) techniques, utilizing built-in community instruments to keep away from detection.
Key actions included:
- Credential Harvesting: Capturing SNMP, TACACS+, and RADIUS site visitors to gather delicate authentication information.
- Configuration Exfiltration: Extracting machine configurations containing weakly encrypted passwords and community particulars.
- Infrastructure Pivoting: Shifting laterally throughout networks by leveraging compromised gadgets as hop factors.
- Configuration Modifications: Altering machine settings equivalent to entry management lists (ACLs), loopback interfaces, and creating unauthorized native accounts.
The attackers additionally utilized custom-built instruments like “JumbledPath,” a utility designed for distant packet seize whereas obfuscating their actions via multi-hop connections.
To evade detection, Salt Typhoon ceaselessly cleared logs (e.g., .bash_history, auth.log) and restored machine configurations to their unique state after finishing malicious actions.
In addition they modified authentication servers and used high-port SSH servers for persistent entry.
Cisco Talos recommends sturdy monitoring of syslogs, AAA logs, and community habits for uncommon exercise.
Organizations are suggested to implement complete configuration administration, allow multi-factor authentication (MFA), and disable pointless providers like Sensible Set up.
Whereas the telecommunications sector has been the first goal of this marketing campaign, Cisco Talos warns that the methods employed by Salt Storm could possibly be utilized throughout varied industries.
The extended timeline of those assaults underscores the necessity for heightened vigilance towards superior persistent threats (APTs) able to deep infiltration into vital infrastructure.
This ongoing investigation highlights the significance of proactive cybersecurity measures, together with common updates, sturdy credential administration, and community segmentation.
Free Webinar: Higher SOC with Interactive Malware Sandbox for Incident Response, and Risk Looking - Register Right here