GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks - #APT40
Chinese state-sponsored hackers, known as Salt Typhoon, have been exploiting vulnerabilities in U.S. telecom networks, primarily targeting Cisco devices. The group utilized old, unpatched flaws, stolen credentials, and 'living-off-the-land' tactics to infiltrate major providers like T-Mobile, AT&T, and Verizon. Notably, they exploited CVE-2018-0171 in Cisco's Smart Install feature, maintaining persistent access for up to three years in some cases. Salt Typhoon employed sophisticated techniques, including a custom tool called JumbledPath for remote packet capture, and pivoted through compromised infrastructure to evade detection. The campaign's longevity and scale suggest a large-scale espionage effort with significant planning and patience, highlighting the critical need for robust cybersecurity measures in the telecommunications sector.