- Cisco reveals that salt typhoon used CVE-2018-0171 to violate destination networks
- I needed login credentials, first
- The attackers are highly sophisticated and well financed, said Cisco
The state -sponsored threat actor, Saltphoon, the state Typhoon, was abusing vulnerability in the intelligent installation function of the Cisco iOS software and the Cisco iOS XE software to compromise US telecommunications networks, the experts have confirmed.
In a new blog post, Cisco said that he found evidence of Typhoon of salt that abuses CVE-2018-0171, a 9.8/10 vulnerability (criticism) that allows the threat actors to execute arbitrary code on an affected device.
“The threat actor demonstrated his ability to persist in target environments in multiple suppliers during prolonged periods, maintaining access in a case for more than three years,” said Cisco Talos.
Large -scale spying
The researchers described the threat actors as “highly sophisticated” and “well financed”, and add: “The long timeline of this campaign suggests a high degree of coordination, planning and patience: Standard distinctive stamps of advanced persistent threat ( APT) and state state -sponsored channels. “
In order to exploit this vulnerability, Salt Typhoon first needed valid login credentials, which was somehow able to acquire. Researchers have their suspicions about how: “In addition, we have observed the threat actor that captures SNMP, Tacacs and radio traffic, including the secret keys used between network devices and TACACS/Radius servers,” Cisco said. “The intention of this traffic capture is almost surely to list additional credential details for the use of monitoring.”
At the end of October 2024, the FBI and the CISA warned about multiple important US telecommunications suppliers that Salt Typhoon has violated.
The statement said: “The United States government is investigating unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.”
As the investigation advanced, in December 2024 the researchers found that at least eight telecommunications of the main United States were violated, including T-Mobile, Verizon, AT&T and Lumen Technologies along with innumerable others worldwide.
Through The hacker news
