In addition to using CVE-2018-0171 and other Cisco bugs to break into telecom networks, the China-sponsored APT is also using stolen login credentials for initial access.

Following research reports last week that Salt Typhoon, the Chinese threat actor known for spying on communications networks, exploited a Cisco vulnerability to infiltrate major US telecommunications providers last fall — including T-Mobile, AT&T, and Verizon — the networking giant has confirmed the activity and offered details on two main attack vectors.

Cisco Talos researchers said the attack vectors included exploiting an older security vulnerability tracked as CVE-2018-0171; and using stolen log-in credentials to gain access to the infrastructure.

The threat actor was able to maintain access to these compromised environments for extended periods of times, and, in one instance, for over three years, the researchers said, paving the way for configuration exfiltration, infrastructure pivoting, and configuration modification.

Though no new Cisco vulnerabilities have been discovered in the campaign, Cisco said it is also receiving reports that Salt Typhoon is abusing at least three other known Cisco vulnerabilities: CVE-2023-20198, CVE-2023-20273, and CVE-2024-20399. Users should patch these immediately.

The attribution to Salt Typhoon hinges on a few clues, according to Cisco Talos. “There are several reasons to believe this activity is being carried out by a highly sophisticated, well-funded threat actor, including the targeted nature of this campaign, the deep levels of developed access into victim networks, and the threat actor’s extensive technical knowledge,” said the researchers. “Furthermore, the long timeline of this campaign suggests a high degree of coordination, planning, and patience — standard hallmarks of advanced persistent threat (APT) and state-sponsored actors.”

Explore IT Tech News for the latest advancements in Information Technology & insightful updates from industry experts! 

Source : https://www.darkreading.com/cyber-risk/cisco-salt-typhoon-exploitation-telecom