Security Intelligence
Loading table of contents...
Cybersecurity researchers have provided new insights into the tactics, techniques and procedures (TTPs) used by Salt Typhoon during its 2024 attack on U.S. telecommunications providers (TSP).
The researchers revealed that Salt Typhoon gained initial access to the target’s network primarily by using stolen credentials, or in one case, by exploiting a six-year-old vulnerability in a Cisco router. Once inside the network, Salt Typhoon extracted credentials by intercepting authentication traffic and used them to facilitate lateral movement. They also modified network configurations to enable Guest Shell access for command execution, alter access control lists, and create hidden accounts to maintain persistent access and evade detection.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Salt Typhoon deployed a custom backdoor named 'JumbledPath' to covertly monitor network traffic and capture sensitive data across various edge networking devices. JumbledPath facilitates packet capture on compromised devices via a jump-host, making capture requests appear as if they originate from trusted internal systems, thereby masking the attackers' true location. Additionally, it can disable logging and erase existing logs to hinder forensic investigations.
Source: Bleeping Computer
Analysis
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group infamous for its compromise of multiple large U.S.-based TSPs and internet service providers (ISPs), including Verizon, AT&T, Lumen Technologies, and T-Mobile. It’s believed that because of this compromise, Salt Typhoon was able tap into the private communications of some U.S. government officials and steal information related to court-authorized wiretapping requests.
The revelation that Salt Typhoon leveraged leaked credentials for its telecom campaign underscores a fundamental truth in cybersecurity: even the most advanced threat actors do not need sophisticated methods if simple ones suffice. While defenders invest in advanced detection systems, the most effective breaches still often exploit basic security oversights or human nature. This serves as a reminder that robust identity and access management is just as critical as defending against technical exploits. Addressing these foundational security gaps remains one of the most effective strategies against both sophisticated APTs and less advanced threat actors alike.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from nation-state threat actors like Salt Typhoon. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends organizations adopt dark web monitoring, which is included as part of Field Effect MDR, to proactively uncover leaked credentials and personal information before threat actors can use them to facilitate access to their network.
