Major U.S. telecommunications firms have been compromised by Chinese state-backed threat group Salt Typhoon with the novel JumbledPath utility for network traffic monitoring and data exfiltration as part of its multi-year cyberespionage campaign, reports BleepingComputer.
Despite exploiting the Cisco IOS vulnerability, tracked as CVE-2018-0171, in one of the intrusions, Salt Typhoon — also known as UNC2286, GhostEmperor, and Earth Estries — mostly leveraged stolen credentials to facilitate initial compromise, which was followed by the exfiltration of network device configuration credentials and the alteration of network configurations to allow command execution and concealed account creation, an analysis from Cisco Talos showed. Further network activity tracking and data theft have been enabled by several packet-capturing tools and JumbledPath, which used a jump-host to intercept packets on a targeted Cisco device while concealing attacker locations. Such findings follow a report from the Recorded Future's Insikt Group noting that more than 1,000 vulnerable Cisco devices worldwide had been targeted by Salt Typhoon. "While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims," said Cisco Talos.
