icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Cisco Confirms Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks

Summary:
Cisco Talos has been tracking a widespread intrusion campaign targeting major U.S. telecommunications companies, attributed to the sophisticated threat actor Salt Typhoon. Initially reported in late 2024 and later confirmed by the U.S. government, this campaign demonstrates advanced persistence techniques, allowing the attackers to maintain access for over three years in some cases. The primary method of compromise involved the use of stolen credentials rather than exploiting new vulnerabilities. While there was one confirmed instance of the exploitation of CVE-2018-0171, no other Cisco vulnerabilities were definitively linked to the campaign.

A key characteristic of Salt Typhoon’s activity is the use of living-off-the-land techniques, enabling them to persist undetected within compromised environments. The attackers actively sought additional credentials by capturing SNMP, TACACS, and RADIUS traffic, targeting weakly encrypted password storage methods, and exfiltrating network configurations via TFTP/FTP. These configurations often contained sensitive authentication material, such as SNMP Read/Write community strings and local account credentials, providing insight into network infrastructure and facilitating further reconnaissance. Additionally, the attackers modified network configurations to maintain access, including changes to AAA/TACACS+ server settings, loopback interface modifications, GRE tunnel creation, ACL changes, and the creation of hidden accounts.

Security Officer Comments:
Salt Typhoon also engaged in infrastructure pivoting, leveraging compromised network devices to move laterally across telecom providers and using them as hop points for outbound data exfiltration. Their persistence was further strengthened by modifying authentication settings, clearing logs to erase forensic traces, and restoring normal system behavior post-operation. A custom-built Go-based tool dubbed JumbledPath was used to execute packet captures through actor-controlled jump hosts, obscuring the origin and destination of their activities.


Suggested Corrections:
Cisco Talos recommends taking the following steps to identify suspicious activity that may be related to this campaign:
  • Conduct comprehensive configuration management (inclusive of auditing), in line with best practices.
  • Conduct comprehensive authentication/authorization/command issuance monitoring.
  • Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
  • Monitor your environment for unusual changes in behavior or configuration.
  • Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
  • Where possible, develop NetFlow visibility to identify unusual volumetric changes.
  • Look for non-empty or unusually large .bash_history files.
  • Additional identification and detection can be performed using the Cisco forensic guides.
Preventative measures
The following guidance applies to entities in all sectors.
  • Cisco-specific measures
    • Always disable the underlying non-encrypted web server using the “no ip http server” command. If web management is not required, disable all of the underlying web servers using “no ip http server” and “no ip http secure-server" commands.
    • Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
    • If not required, disable the guestshell access using “guestshell disable” for those versions which support the guestshell service.
    • Disable Cisco’s Smart Install service using “no vstack”.
    • Utilize type 8 passwords for local account credential configuration.
    • Use type 6 for TACACS+ key configuration.
  • General measures
    • Rigorously adhere to security best practices, including updating, access controls, user education, and network segmentation.
    • Stay up-to-date on security advisories from the U.S. government and industry, and consider suggested configuration changes to mitigate described issues.
    • Update devices as aggressively as possible. This includes patching current hardware and software against known vulnerabilities and replacing end-of-life hardware and software.
      • Select complex passwords and community strings and avoid default credentials.
    • Use multi-factor authentication (MFA).
    • Encrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
    • Lockdown and aggressively monitor credential systems, such as TACACS+ and any jump hosts.
    • Utilize AAA to deny configuration modifications of key device protections (e.g., local accounts, TACACS+, RADIUS).
    • Prevent and monitor for exposure of administrative or unusual interfaces (e.g., SNMP, SSH, HTTP(s)).
    • Disable all non-encrypted web management capabilities.
    • Verify existence and correctness of access control lists for all management protocols (e.g., SNMP, SSH, Netconf, etc.).
    • Enhance overall credential and password management practices with stronger keys and/or encryption.
      • Use type 8 passwords for local account credential configuration.
      • Use type 6 for TACACS+ key configuration.
    • Store configurations centrally and push to devices. Do NOT allow devices to be the trusted source of truth for their configurations.
Link(s):
https://thehackernews.com/2025/02/cisco-confirms-salt-typhoon-exploited.html

https://blog.talosintelligence.com/salt-typhoon-analysis/

Contact Us for Threat Assistance
Back to Current Threats