icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor

Summary:
Salt Typhoon is identified by the United States Cybersecurity and Infrastructure Security Agency (CISA) as a state-sponsored threat actor that has successfully compromised at least nine telecommunications companies with headquarters in the United States, thus prioritizing government and political figures and very high-profile targets. Salt Typhoon, the APT group more commonly known by a variety of monikers like FamousSparrow, GhostEmperor, Earth Estries, or UNC2286 across previously published sources, is believed to be involved in espionage, with a particular focus on the telecommunications, government, and technology sectors across the globe. This advanced persistent threat (APT) group is recognized for using a combination of known vulnerabilities, including Microsoft’s ProxyLogon (CVE-2021-26855) and Ivanti's Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887), in order to secure an initial foothold into a target. Their activities have resulted in major breaches to critical U.S. infrastructure and communication networks affecting their national security.

Security Officer Comments:
Salt Typhoon operated as a potent reminder that many telecom infrastructures should be insulated against continuous sabotage by state-backed attackers. By exploiting known security flaws and zero-day vulnerabilities, Salt Typhoon has signaled for immediate patching and increased vigilance across sectors handling sensitive political and governmental data. Many vulnerabilities actively exploited are characterized internationally by an insufficiently proactive defensive stance, with dozens of companies hosting such security shortcomings even when a patch is issued. This irregularity in patching creates a very fertile ground from which comes this prolonged, stealthy, really sophisticated campaign able to conduct long-term espionage, namely a state-level actor.

MITRE ATT&CK Techniques Used by Salt Typhoon:

  • T1003.003 - OS Credential Dumping: NTDS: Salt Typhoon may use this technique to dump credentials from domain controllers.
  • T1021.002 - Remote Services: SMB/Windows Admin Shares: Exploits remote services to gain access to sensitive systems.
  • T1047 - Windows Management Instrumentation: Utilizes WMI for lateral movement within networks.
  • T1053.005 - Create or Modify System Process: Windows Service: Modifies Windows services to maintain persistence.
  • T1059.001 - Command and Scripting Interpreter: PowerShell: Executes PowerShell scripts to conduct reconnaissance and deploy malware.
  • T1059.003 - Command and Scripting Interpreter: Windows Command Shell: Uses the Windows command shell for exploitation and payload delivery.
  • T1068 - Exploitation for Privilege Escalation: Exploits vulnerabilities to escalate privileges within the compromised network.
  • T1078.001 - Valid Accounts: Domain Accounts: Uses valid domain accounts for persistence.
  • T1078.003 - Valid Accounts: Windows Accounts: Leverages Windows credentials for unauthorized access.
  • T1082 - System Information Discovery: Gathers system information for better targeting and exploitation.
  • T1190 - Exploit Public-Facing Application: Uses public-facing vulnerabilities to gain initial access (e.g., ProxyLogon).
  • T1203 - Exploitation for Client Execution: Exploits software vulnerabilities to execute malware on the client side.
  • T1547 - Boot or Logon Autostart Execution: Modifies autostart locations to ensure persistence after system reboots.

Suggested Corrections:
To lessen the risk presented by Salt Typhoon and other APT groups, organizations should take the following steps:

Patch Management: Ensure extremely fast patching for all known vulnerabilities, including those affecting Microsoft Exchange (ProxyLogon), Ivanti Connect Secure, and Fortinet FortiClientEMS. As the group uses known CVEs, applying late patches should be one of the top priorities.

Zero-Day Detection and Prevention: The IDS must prevent zero-day exploitation - for that, detection tools should look for suspicious activity and include mitigative actions until patches become available.

Network Segmentation and Monitoring: In light of limiting the spread of an attack, ensure the segmentation of sensitive and critical systems from the rest of the network. This includes enhancing monitoring for unusual behavior or unauthorized access across networks and endpoints.

End-to-End Encryption: Encryption of communications should be performable end to end, especially for sensitive governmental and political figures to counter eavesdropping or interception.

Hardening of Security: Follow CISA guidance on securing Cisco devices. Some services, like Smart Install, are subject to abuse. Ensure that all internet-facing devices are securely configured with the least operating privileges.

Ongoing Threat Intelligence and Training: Continuous updates of threat intelligence feeds within the organization regarding TCP-based attack types utilized in bursts by sponsored actors. Additionally, members of staff should receive training on how to recognize phishing attempts and suspicious activity.

Link(s):
https://www.tenable.com/blog/salt-t...ities-exploited-by-this-state-sponsored-actor

Contact Us for Threat Assistance
Back to Current Threats