A primary component of the Salt Typhoon attacks was monitoring network activity and stealing data using packet-capturing tools like Tcpdump, Tpacap, Embedded Packet Capture, and a custom tool called JumbledPath. JumbledPath allowed Salt Typhoon to initiate packet capture on a targeted Cisco device via a jump-host, an intermediary system that made the capture requests appear as if they originate from a trusted device inside the network while also obfuscating the attacker's true location. The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers. Cisco lists several recommendations to detect Salt Typhoon activity, such as monitoring for unauthorized SSH activity on non-standard ports, tracking log anomalies, including missing or unusually large '.bash_history' files, and inspecting for unexpected configuration changes. While Salt Typhoon primarily gained access to targeted networks using stolen credentials, the exact method of obtaining the credentials remains unclear. The attackers demonstrated advanced techniques for persistent access and evasion, including frequently pivoting between different networking devices to hide their traces and using compromised edge devices to pivot into partner telecom networks. Salt Typhoon (aka Earth Estries, GhostEmperor, and UNC2286) is a sophisticated hacking group active since at least 2019, primarily focusing on breaching government entities and telecommunications companies. Cisco says Salt Typhoon hackers infiltrated core networking infrastructure primarily through stolen credentials. Recently, the U.S. authorities have confirmed that Salt Typhoon was behind several successful breaches of telecommunication service providers in the U.S., including Verizon, AT&T, Lumen Technologies, and T-Mobile. JumpedPath is a Go-based ELF binary built for x86_64 Linux-based systems that allowed it to run on a variety of edge networking devices from different manufacturers, including Cisco Nexus devices. The threat actors were also observed modifying network configurations, enabling Guest Shell access to execute commands, altering access control lists (ACLs), and creating hidden accounts. It was later revealed that Salt Typhoon managed to tap into the private communications of some U.S. government officials and stole information related to court-authorized wiretapping requests. Once inside, they expanded their access by extracting additional credentials from network device configurations and intercepting authentication traffic (SNMP, TACACS, and RADIUS). They also exfiltrated device configurations over TFTP and FTP to facilitate lateral movement, which contained sensitive authentication data, weakly encrypted passwords, and network mapping details.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 20 Feb 2025 16:15:22 +0000