Full Report
A report from Trend Micro details the highly sophisticated ways Salt Typhoon carries out its operations. The post Malware linked to Salt Typhoon used to hack telcos around the world appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
* **Identification:** Described by Trend Micro as one of "the most aggressive Chinese advanced persistent threat (APT) groups" currently in operation.
* **Known Aliases and Associated Groups:** Earth Estries, FamousSparrow, GhostEmperor, and UNC2286.
## Activity Summary
* The group is known for highly sophisticated cyber-espionage efforts, including the reported hack of several U.S. telecommunications companies.
* Malware linked to the group has been used to infiltrate other telecommunications companies and government entities globally.
* The operations focus on gaining access, deploying specific malware, and maintaining persistence within infiltrated systems.
## Tactics, Techniques & Procedures
* **Initial Access/Exploitation:** The group capitalizes on several known, publicly disclosed vulnerabilities:
* Ivanti Connect Secure VPN ([CVE-2023-46805](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46805) and [CVE-2024-21887](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21887))
* Fortinet FortiClient EMS SQL Injection Vulnerability ([CVE-2023-48788](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48788))
* Sophos Firewall Code Injection ([CVE-2022-3236](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3236))
* Microsoft Exchange ProxyLogon ([CVE-2021-26855](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855), [CVE-2021-26857](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26857), [CVE-2021-26858](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858), and [CVE-2021-27065](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27065))
* **Lateral Movement:** Uses legitimate tools for internal network penetration, such as `WMIC.exe` (Windows Management Instrumentation Command) and PsExec.
* **Defense Evasion/Persistence:** Deploys sophisticated backdoors to remain hidden.
## Targeting
* **Sectors:** Telecommunications companies and government entities.
* **Geography:** Worldwide, specifically mentioned in the U.S., Asia-Pacific, Middle East, and South Africa.
* **Victims:** Several unidentified U.S. telecommunications companies.
## Tools & Infrastructure
* **Malware Families Used (Backdoors):** GhostSpider (described as a multi-modular backdoor), SnappyBee, and Masol RAT.
* **Infrastructure:** The group utilizes an intricate Command and Control (C2) infrastructure managed by specialized teams, providing resilience and enabling concurrent missions.
## Implications
Salt Typhoon conducts highly sophisticated cyber-espionage, leveraging zero-day or recently patched vulnerabilities immediately after disclosure. Their ability to maintain complex, segregated C2 infrastructure suggests significant resources and operational maturity, posing a sustained threat to critical infrastructure globally.
## Mitigations
* Prioritize patching the listed vulnerabilities, especially those related to VPNs and security solutions (Ivanti Connect Secure, Fortinet, Sophos, Microsoft Exchange).
* Monitor for the use of legitimate administrative tools (`WMIC.exe`, PsExec) for unauthorized lateral movement.
* Implement detection methodologies capable of identifying the specific backdoors associated with this actor (GhostSpider, SnappyBee, Masol RAT).