The Chinese state-sponsored hacking group, Salt Typhoon, also known as Earth Estries, GhostEmperor, and UNC2286, has been targeting U.S. telecommunications providers since at least 2019. Recently, U.S. authorities confirmed that Salt Typhoon was behind several successful breaches of major telecom companies, including Verizon, AT&T, Lumen Technologies, and T-Mobile.
Recently, the group utilizes a custom tool called JumbledPath to discreetly monitor network traffic and potentially capture sensitive information in cyberattacks targeting U.S. telecommunication providers. This blog post explores the infection chain used by Salt Typhoon, with a focus on their exploitation of the CVE-2018-0171 vulnerability.
Exploitation of CVE-2018-0171:
CVE-2018-0171 is a vulnerability in the Smart Install feature of Cisco IOS and IOS XE Software. It allows an unauthenticated, remote attacker to trigger a reload of an affected device, causing a denial of service (DoS) condition or executing arbitrary code on the device. Salt Typhoon exploits this vulnerability to gain initial access to the targeted network.
Exploitation Technique:
Initial Access: Salt Typhoon primarily gained initial access through stolen credentials. However, in at least one breach, they exploited the CVE-2018-0171 vulnerability in Cisco IOS and IOS XE Software's Smart Install feature.
Exploitation: They sent crafted Smart Install messages to TCP port 4786 on the affected devices. This allowed them to trigger a reload of the device, causing a denial of service (DoS) condition or executing arbitrary code.
Persistence: Once they gained access, they maintained persistent access by modifying system configurations and using advanced living-off-the-land (LOTL) techniques.
Data Exfiltration: They used a custom tool called JumbledPath to monitor network traffic and capture sensitive information. This tool created encrypted packet capture chains through compromised devices and systematically cleared logs to avoid detection.
JumbledPath Utility:
Salt Typhoon uses a custom tool called JumbledPath, which is written in Go and compiled as an ELF binary for x86-64 architecture. This utility is deployed in actor-configured Guest Shell instances on Cisco Nexus devices. Guest Shell is a Linux-based virtual environment on Cisco devices that allows the execution of Linux commands and utilities.
JumbledPath is utilized to modify network device configurations, attempt to clear logs, impair logging along the jump path, and return the resulting compressed, encrypted capture through another unique method. The utility executes remote tcpdump sessions via SSH jump-hosts while systematically clearing logs.
JumbledPath Operational Workflow:
Gain access to a network device with the Guest Shell feature enabled.
Deploy the JumbledPath utility within the Guest Shell environment.
Alter network device configurations to facilitate packet capture and exfiltration.
Initiate remote tcpdump sessions via SSH jump-hosts to capture network traffic.
Store captured packets in temporary storage on the network device.
Systematically clear logs from the device to evade detection.
Compress and encrypt the captured packet data to ensure secure transmission.
Transmit the encrypted packet captures through multiple network hops to the Command-and-Control (C2) server.
Ensure that each network hop further obfuscates the data path to avoid detection.
On a Successful exploitation can result in:
Triggering a device reload.
Enabling the attacker to execute arbitrary code on the device.
Causing an indefinite loop on the device, which leads to a watchdog crash.
Conclusion:
Salt Typhoon's advanced tactics in exploiting CVE-2018-0171 and deploying the JumbledPath utility underscore the need for robust cybersecurity. Their ability to infiltrate and exfiltrate sensitive data from U.S. telecom providers highlights the importance of regular updates, thorough assessments, and employee education.
Staying vigilant against such threats is essential for protecting critical infrastructure from sophisticated cyberattacks.
Happy Hunting !!