Full Report
Cisco has confirmed that a Chinese threat actor known as Salt Typhoon gained access by likely abusing a known security flaw tracked as CVE-2018-0171, and by obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies. "The threat actor then demonstrated their ability to persist in target environments across equipment from multiple
Analysis Summary
# Incident Report: Salt Typhoon Exploitation of U.S. Telecom Networks via CVE-2018-0171
## Executive Summary
The Chinese threat actor known as Salt Typhoon conducted a sophisticated, long-term campaign targeting major U.S. telecommunications companies. Initial access was gained by exploiting the known vulnerability CVE-2018-0171 and utilizing valid, stolen victim credentials. This highly patient operation resulted in persistence lasting over three years in some cases, leveraging living-off-the-land techniques on network devices for reconnaissance and lateral movement.
## Incident Details
- **Discovery Date:** Unknown baseline, confirmed by Cisco Talos analysis (article date Feb 21, 2025).
- **Incident Date:** Campaign observed spanning extended periods, with one instance of persistence lasting over three years.
- **Affected Organization:** Major U.S. telecommunications companies.
- **Sector:** Telecommunications.
- **Geography:** United States.
## Timeline of Events
### Initial Access
- **Date/Time:** Predates Cisco's public confirmation (Feb 2025).
- **Vector:** Likely exploitation of **CVE-2018-0171** (Cisco Small Business Product Vulnerability) combined with **stolen, legitimate victim login credentials**.
- **Details:** The manner in which credentials were first acquired is unknown, but attackers also targeted device configurations and weak passwords to obtain credentials.
### Lateral Movement
- Attackers moved through networks by leveraging **living-off-the-land (LOTL) techniques** on network devices, using trusted infrastructure as pivot points to move between telecom environments.
- They altered network configurations to create local accounts, enable **Guest Shell access**, and facilitate remote SSH access.
### Data Exfiltration/Impact
- Attackers captured **SNMP, TACACS, and RADIUS traffic**, including secret keys, with the intent to enumerate further credential details for follow-on exploitation.
- Cisco mentioned data exfiltration operations occurring, facilitated by intermediate network devices acting as relays.
### Detection & Response
- **Detection:** Confirmed via analysis by Cisco Talos.
- **Response actions taken:** Not explicitly detailed in the provided text, beyond the analysis confirming the persistent threat activity.
## Attack Methodology
- **Initial Access:** Exploitation of **CVE-2018-0171** and use of stolen, valid credentials.
- **Persistence:** Maintaining network presence for extended periods (up to three years) by abusing trusted network device infrastructure.
- **Privilege Escalation:** Not explicitly detailed, but creation of local accounts and enabling Guest Shell suggests privilege gain on the network devices.
- **Defense Evasion:** Using LOTL techniques; deploying a bespoke utility named **JumbledPath** (a Go-based ELF binary) capable of executing remote packet captures and, crucially, **clearing logs** (.bash\_history, auth.log, lastlog, wtmp, btmp) to obfuscate traces.
- **Credential Access:** Capturing SNMP, TACACS, and RADIUS traffic, including secret keys. Also targeted network device configurations and weak local accounts.
- **Discovery:** Enumerating systems via captured traffic and internal network configuration manipulation.
- **Lateral Movement:** Pivoting between telecom environments using compromised network devices as intermediate relays.
- **Collection:** Capturing network protocol traffic (SNMP, TACACS, RADIUS) to gather secrets and credentials.
- **Exfiltration:** Utilizing compromised network devices as hops for outbound data transfers.
- **Impact:** Long-term unauthorized access and data harvesting capability within critical infrastructure.
## Impact Assessment
- **Financial:** Not quantified in the source material.
- **Data Breach:** Credentials, configuration details, and secret keys from monitoring/authentication protocols (SNMP, TACACS, RADIUS) were compromised.
- **Operational:** Potential for long-term disruption, as the capability existed for over three years in one documented instance.
- **Reputational:** Significant for the targeted U.S. telecom sector due to the APT-level sophistication involved.
## Indicators of Compromise
- **Network indicators (defanged):** Use of actor-defined jump-hosts for remote packet capture execution.
- **File indicators:** **JumbledPath** (Go-based ELF binary).
- **Behavioral indicators:** Abusing **CVE-2018-0171**; creating local user accounts on network devices; enabling Guest Shell; routine deletion of `.bash_history`, `auth.log`, `lastlog`, `wtmp`, and `btmp`.
## Response Actions
- **Containment measures:** Not explicitly detailed, but implied the need to patch CVE-2018-0171 and force credential rotations across all affected environments.
- **Eradication steps:** Removing actor-created local accounts and custom utilities like `JumbledPath`. Wiping or re-imaging compromised network devices likely necessary due to deep persistence.
- **Recovery actions:** Restoring configuration integrity and ensuring all logging functionalities are operational and monitored.
## Lessons Learned
- **Key takeaways:** State-sponsored actors (APT-level threat) exhibit extreme patience, maintaining access for years in critical infrastructure. Exploitation of older, known vulnerabilities (CVE-2018-0171) remains a viable initial access vector if patching is incomplete. LOTL techniques severely complicate detection on specialized network devices.
- **What could have been done better:** Stronger credential hygiene (especially for TACACS/RADIUS secrets) and more robust configuration monitoring that detects unauthorized local account creation on network equipment.
## Recommendations
- Immediately review and patch all instances of **CVE-2018-0171** across the network inventory.
- Audit all network devices (routers, switches) for newly created local user accounts or unexpected Guest Shell enablement.
- Implement strict policy enforcement to prevent the storage of weak credentials or the capture of sensitive protocol secrets (like RADIUS/TACACS keys) in accessible configurations.
- Deploy enhanced monitoring to detect file system manipulation on network operating systems, specifically targeting the deletion of standard shell history and log files.