The UK, US and partners from across the globe have released a new report on the notorious Chinese APT group Salt Typhoon, claiming it has received help from several commercial tech companies to further its cyber-espionage goals.
The report named Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology and Sichuan Zhixin Ruijie Network Technology as providing “cyber-related products and services” to China’s intelligence services.
“The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” it warned.
These efforts have been ongoing since at least 2021, with the focus for initial access on exploitation of known vulnerabilities rather than zero-days.
Read more on Salt Typhoon:Salt Typhoon Exploited Cisco Devices With Custom Tool to Spy on US Telcos
The report urged network defenders in potentially impacted organizations to prioritize patching of network edge devices, specifically the following vulnerabilities:
- CVE-2024-21887 (Ivanti Connect Secure and Ivanti Policy Secure)
- CVE-2024-3400 (Palo Alto PAN-OS GlobalProtect)
- CVE-2023-20273 and CVE-2023-20198 (Cisco IOS XE)
- CVE-2018-0171 (Cisco Smart Install RCE)
By exploiting the above, threat actors can gainaccess to routers and edge devices, and then potentially hijack trusted connections between providers and customers to pivot into other networks.
“The APT actors leverage infrastructure, such as virtual private servers (VPSs) and compromised intermediate routers, that have not been attributable to a publicly known botnet or obfuscation network infrastructure to target telecommunications and network service providers, including ISPs,” the report explained.
“The APT actors may target edge devices regardless of who owns a particular device. Devices owned by entities who do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest.”
Reports suggest that these techniques were used to compromise organizations in scores of countries worldwide.
Network Defenders Urged to Act Now
The latest report comes on the back of warnings last November that Salt Typhoon had breached at least eight US telecom firms in “a broad and significant cyber espionage campaign.”
The hackers obtained customer call records dataand the private communications of a limited number of people involved in government or political activity, as well as information subject to US law enforcement requests.
The US Cybersecurity and Infrastructure Security Agency (CISA) even warned at the timethat high-risk individuals should move away from using unencrypted SMS and adopt end-to-end encrypted messaging apps and phishing-resistant multi-factor authentication (MFA).
The latest advisory was signed by the UK, US, Australia, Canada, New Zealand, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain, indicating the scale of Salt Typhoon operations.
“We are deeply concerned by the irresponsible behavior of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale,” said NCSC CEO, Richard Horne.
“It is crucial organizations in targeted critical sectors heed this international warning about the threat posed by cyber actors who have been exploiting publicly known – and so therefore fixable – vulnerabilities.”
Horne urged network defenders to proactively hunt for malicious activityand apply recommended mitigations based on indicators of compromise (IoCs), as well as regularly review network device logs for signs of unusual activity.