Chinese state-sponsored hackers, Salt Typhoon, used the JumbledPath utility in their attacks against US telecommunication providers to stealthily monitor network traffic and potentially steal sensitive data, a new Cisco report revealed.
In the report published by Cisco Talos on February 20, the researchers confirmed Salt Typhoon gained access to core networking infrastructure through Cisco devices and then used that infrastructure to collect a variety of information.
The typical approach of Salt Typhoon to gain initial access to Cisco devices was through the threat actor obtaining legitimate victim login credentials using living-off-the-land (LOTL) techniques on network devices.
One of the main revelations of the report was that Salt Typhoon used JumbledPath, a custom-built utility allowing the threat actor to execute a packet capture on a remote Cisco device through an actor-defined jump host.
Salt Typhoon Techniques, Tactics and Procedures
According to Cisco Talos, Salt Typhoon used stolen credentials and actively tried to steal more by targeting weak password storage, network device configurations and capturing authentication traffic.
The group stole device configurations, often via TFTP/FTP, to gain access to sensitive information like SNMP strings and weakly encrypted passwords, which could then be easily decrypted, and to understand network topology for further attacks.
JumbledPath, a utility written in Go and compiled as an ELF binary using an x86-64 architecture, was found in actor-configured Guest Shell instances on Cisco Nexus devices.
Guest Shell is a Linux-based virtual environment that runs on Cisco devices and allows users to execute Linux commands and utilities.
It was used to modify network device configurations, attempt to clear logs, impair logging along the jump path and return the resultant compressed, encrypted capture via another unique series of actor-defined connections or jumps.
“This allowed the threat actor to create a chain of connections and perform the capture on a remote device,” the Talos researchers said.
“The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure.”
The group then moved laterally within compromised networks and between different telecom providers, using compromised devices as stepping stones to reach other targets and avoid detection.
Finally, the threat actor repeatedly cleared relevant logs to obfuscate their activities, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable. In many cases, shell access was restored to a normal state by using the “guestshell disable” command.
The threat actor modified authentication, authorization and accounting (AAA) server settings with supplemental addresses under their control to bypass access control systems.
Cisco Vulnerability Exploit Unrelated to Salt Typhoon
During their investigations, the Talos researchers found additional targeting of Cisco devices with the abuse of CVE-2018-0171, a legacy vulnerability in the Smart Install (SMI) feature of Cisco IOS and Cisco IOS XE software.
However, the researchers noted that this activity appears to be unrelated to the Salt Typhoon operations.
“We have not yet been able to attribute it to a specific actor. The IP addresses provided as observables below are associated with this potentially unrelated SMI activity,” they added.
Salt Typhoon Mitigation Recommendations
Following their investigations, the Talos researchers provided a list of Cisco-specific security threat mitigation recommendations. These include:
- Disabling the underlying non-encrypted web server using the “no ip http server” command. If web management is not required, disable all of the underlying web servers using “no ip http server” and “no ip http secure-server” commands
- Disabling telnet and ensuring it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none.”
- Disabling the guestshell access (if not necessary) using “guestshell disable” for those versions which support the guestshell service
- Disabling Cisco’s Smart Install service using “no vstack”
- Using type 8 passwords for local account credential configuration
- Using type 6 for TACACS+ key configuration
The images illustrating this article were generated using Shutterstock AI Image Generator.