Salt Typhoon Hackers Use JumbledPath to Spy on U.S. Telecom Networks
A Chinese state-sponsored hacking group, Salt Typhoon (also known as Earth Estries, GhostEmperor, and UNC2286), has been identified using a custom utility called JumbledPath to stealthily monitor network traffic and capture sensitive data in cyberattacks on U.S. telecommunication providers.
Salt Typhoon’s Cyber Espionage Campaign
Salt Typhoon, a sophisticated cyber threat group active since at least 2019, has primarily targeted government entities and telecommunications companies. Recently, U.S. authorities confirmed that the group was behind several breaches of major telecommunications service providers, including Verizon, AT&T, Lumen Technologies, and T-Mobile.
Further investigations revealed that Salt Typhoon successfully tapped into private communications of certain U.S. government officials, stealing critical information, including details related to court-authorized wiretapping requests.
In a report last week, the Recorded Future's Insikt Group disclosed that Salt Typhoon targeted over 1,000 Cisco network devices, with more than half of these located in the U.S., South America, and India, between December 2024 and January 2025.
Cisco Talos Uncovers Years-Long Intrusions
Cisco Talos has now provided additional insights into the attack campaign, revealing that Salt Typhoon's breaches of major U.S. telecommunications companies lasted up to three years in some cases.
Salt Typhoon’s Tactics
Cisco’s analysis found that Salt Typhoon primarily infiltrated core networking infrastructure through stolen credentials. While there was one documented case of exploiting the Cisco CVE-2018-0171 vulnerability, no other zero-day or known vulnerabilities were leveraged in this campaign.
"No new Cisco vulnerabilities were discovered during this campaign," stated Cisco Talos. "While some reports suggest Salt Typhoon exploited three other known Cisco vulnerabilities, we have found no evidence to confirm these claims."
Although Salt Typhoon relied on stolen credentials for initial access, the method of obtaining these credentials remains unclear. Once inside, the attackers expanded their access by:
Extracting additional credentials from network device configurations.
Intercepting authentication traffic (SNMP, TACACS, and RADIUS).
Exfiltrating device configurations via TFTP and FTP to facilitate lateral movement.
Leveraging weakly encrypted passwords and network mapping details.
To maintain persistence and evade detection, Salt Typhoon frequently pivoted between different networking devices, used compromised edge devices to access partner telecom networks, and modified network configurations. They enabled Guest Shell access, altered access control lists (ACLs), and created hidden accounts to maintain access.
JumbledPath: Salt Typhoon’s Custom Surveillance Tool
A critical component of Salt Typhoon's operations is their use of packet-capturing tools, including Tcpdump, Tpacap, Embedded Packet Capture, and their custom-built tool, JumbledPath.
How JumbledPath Works
JumbledPath is a Go-based ELF binary designed for x86_64 Linux-based systems, enabling it to run on various edge networking devices, including Cisco Nexus equipment. The tool allowed Salt Typhoon to:
Capture network traffic on targeted Cisco devices via a jump-host, making it appear as if requests originated from a trusted internal device.
Obfuscate the attacker’s true location.
Disable logging and clear existing logs to cover its tracks, complicating forensic investigations.
Mitigation and Detection Strategies
Cisco has issued several recommendations to detect and mitigate Salt Typhoon's activity, including:
Monitoring for unauthorized SSH activity on non-standard ports.
Tracking log anomalies, such as missing or abnormally large '.bash_history' files.
Inspecting for unexpected configuration changes.
Growing Threat to Edge Networking Devices
Over the past few years, Chinese threat actors have increasingly targeted edge networking devices to install custom malware that enables network surveillance, credential theft, and proxying attacks. These campaigns have affected major networking equipment manufacturers, including:
Fortinet
Barracuda
SonicWall
Check Point
D-Link
Cisco
Juniper
NetGear
Sophos
While some of these attacks exploit zero-day vulnerabilities, many are executed using compromised credentials or outdated vulnerabilities. As a result, security experts urge administrators to apply security patches to edge networking devices as soon as they become available to mitigate the risk of intrusion.
No comments:
Post a Comment