Salt Typhoon Cyber Attacks: A Wake-Up Call for Cybersecurity
Are you prepared?
The recent cyber attacks by the state-sponsored group known as Salt Typhoon have sent shockwaves through the cybersecurity community. This sophisticated campaign, linked to the Chinese hacking group Sichuan Juxinhe Network Technology, has compromised several major U.S. telecommunications providers, including T-Mobile, AT&T, Verizon, and Lumen. The attackers exploited systemic weaknesses in edge devices and lawful intercept systems, leveraging unpatched flaws in products from Sophos, Microsoft, Ivanti, and Fortinet. This breach highlights the inherent risks of backdoors and the necessity of adopting transformative security strategies.
Key Vulnerabilities Exploited by Salt Typhoon
Overlooked Vulnerabilities: Legacy devices, often neglected for updates, became primary targets. Two older Cisco vulnerabilities affecting the Smart Install feature of IOS and IOS-XE and a critical privilege escalation vulnerability on unpatched Cisco devices (CVE-2018-0171 and CVE-2023-20198) were seen in the wild in attacks by the Chinese backed threat group. According to a blog post by GreyNoise, 110 malicious IP addresses were observed originating from Bulgaria, Brazil, and Singapore. In addition, other vendors such as Sophos, Microsoft, Ivanti, and Fortinet were also targeted.
Weak Edge Security: Poorly managed edge devices with privileged access exposed networks. Misconfigurations, such as disabling Cisco Smart Install (no vstack command) can be quite the blunder. Cisco SMI has a lack of authentication for its operations which allows attackers to act as directors sending commands to client devices. Buffer overflows from specially crafted packets sent to TCP port 4786 can also allow attackers to execute arbitrary code on a device and potentially even take full control of it.
Insufficient Observability: A lack of robust monitoring enabled prolonged, undetected access. The inability to effectively monitor and detect activities within a network can pose serious security risks allowing threat actors to go undetected for a prolonged period of time. This is where investing modern security information and event management (SIEM) systems and utilizing endpoint detection and response (EDR) solutions to monitor endpoint activities plays a crucial role in today’s threat landscape.
Reactive Postures: Compliance-driven approaches overshadowed proactive defense mechanisms. While organizations may prioritize meeting compliance requirements over building a robust security infrastructure, focusing solely on it can lead to a “checkbox mentality” where the goal is to satisfy minimum standards rather than achieve optimal security.
Credential Theft: Salt Typhoon obtained legitimate login credentials, allowing them to persist in target environments for extended periods. Salt Typhoon intercepted network traffic to steal credentials used in protocols like SNMP, TACACS, and RADIUS. These protocols often carry sensitive authentication information, which the attackers could capture and use. The attackers exfiltrated device configurations that contained sensitive authentication material, such as SNMP Read/Write community strings and local accounts with weak password encryption. These configurations were often transferred over protocols like TFTP and FTP.
Advanced Techniques: The group's use of sophisticated tactics, such as leveraging lawful intercept systems and reconfiguring network devices, demonstrated a deep understanding of their targets.
Mitigation Strategies for Businesses: Don’t Be the Next Victim
Now more than ever businesses are understanding that the “status quo” is no longer sufficient in protecting their assets. Focusing on mitigation strategies is essential for businesses to safeguard against sophisticated cyber attacks like those orchestrated by Salt Typhoon. Mitigation strategies are crucial for businesses to protect their data, ensure continuity, avoid financial losses, meet legal obligations, preserve their reputation, stay ahead of threats, enhance competitive advantage, support industry security, and foster a culture of continuous improvement. By taking a proactive approach to cybersecurity, businesses can significantly reduce their risk of falling victim to sophisticated cyber attacks.
To prevent becoming victims of similar attacks, businesses can adopt the following strategies:
Adopt Zero Trust Architectures: Enforce continuous verification of users and devices, employ micro-segmentation for critical assets, and encrypt all data in transit.
Secure Edge Devices: Conduct regular inventory and updates of edge devices, mandate multifactor authentication (MFA) for access, and deploy intrusion detection and prevention systems at network perimeters.
Enhance Threat Detection and Observability: Use AI-driven analytics for anomaly detection, integrate threat intelligence feeds for early warning, and establish deep packet inspection capabilities to identify malicious activity.
Foster Public-Private Collaboration: Align with CISA guidelines, actively share threat intelligence, invest in public-private partnerships to advance security tool innovation, and develop unified frameworks for incident response and recovery.
Prioritize Cybersecurity Talent Development: Build training pipelines for skilled cybersecurity professionals and incentivize continuous learning and development.
By implementing these strategies, businesses can significantly reduce their risk of falling victim to sophisticated cyber attacks like those orchestrated by Salt Typhoon.
At Smart Tech Networx we can help you with establishing these strategies in your organization from implementing a zero trust network, securing edge devices and network equipment with security best practices, to deploying endpoint detection and response and a security information and event management (SIEM). Head on over to our contact us page and get in touch to see how we can help.
