Salt Typhoon hackers used this clever technique to attack US networks

News
By
published

A bug in Cisco products was used to target US telecoms once again

China
Image credit: Shutterstock (Image credit: Shutterstock)
  • Cisco reveals Salt Typhoon used CVE-2018-0171 to breach target networks
  • It needed login credentials, first
  • The attackers are highly sophisticated and well-funded, Cisco said

Chinese state-sponsored threat actor Salt Typhoon was abusing a vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software to compromise US telecoms networks, experts have confirmed.

In a new blog post, Cisco said it found evidence of Salt Typhoon abusing CVE-2018-0171, a 9.8/10 (critical) vulnerability that allows threat actors to execute arbitrary code on an affected device.

"The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years," Cisco Talos said.

Large-scale espionage

The researchers described the threat actors as “highly sophisticated” and “well-funded”, adding, "The long timeline of this campaign suggests a high degree of coordination, planning, and patience — standard hallmarks of advanced persistent threat (APT) and state-sponsored actors."

To be able to exploit this vulnerability, Salt Typhoon first needed valid login credentials, which it was somehow able to acquire. The researchers have their suspicions on how: "In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers," Cisco said. "The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use."

In late October 2024, the FBI and CISA warned about multiple major US telecom providers having been breached by Salt Typhoon.

The statement noted, “The U.S. Government is investigating the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.”

As the investigation progressed, by December 2024 the researchers found that at least eight major US telecoms were breached, including T-Mobile, Verizon, AT&T, and Lumen Technologies together with countless others around the world.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Best password manager for families

Best password manager for families of 2025
The best free firewall

Microsoft fixes Power Pages security flaw, tells users to be on their guard
Image of the new Apple Watch SE 2

Is the Apple Watch SE next for the chop? The surprise iPhone 16e reveal could hint at more changes to come
See more latest