Global Salt Typhoon Cyber Attacks Associated with Chinese Technology Companies

ByAdmin

The U.S. National Security Agency (NSA), the UK’s National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms.According to the joint advisories [NSA, NCSC], Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have provided cyber products and services to China’s Ministry of State Security and the People’s Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon.Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation, lodging, and military networks worldwide, stealing data that can be used to track targets’ communications and movements worldwide.In particular, over the past couple of years, Salt Typhoon has performed concerted attacks on telecommunication firms to spy on the private communications of individuals worldwide.BleepingComputer contacted the Chinese embassy about these claims and will update the story if we receive a response.Targeting networking equipmentA joint advisory by cyber and intelligence agencies in 13 countries warns that the threat actors have had “considerable success” exploiting widely known and fixed flaws on network edge devices rather than relying on zero-days.These vulnerabilities include:CVE-2024-21887 (Ivanti Connect Secure command injection), CVE-2024-3400 (Palo Alto PAN-OS GlobalProtect RCE), CVE-2023-20273 and CVE-2023-20198 (Cisco IOS XE authentication bypass and privilege escalation) CVE-2018-0171 (Cisco Smart Install RCE). Using these flaws, the threat actors gain access to routing and network devices, allowing them to modify access control lists, enable SSH on non-standard ports, create GRE/IPsec tunnels, and exploit Cisco Guest Shell containers to maintain persistence.”The APT actors may target edge devices regardless of who owns a particular device,” explains the joint report.”Devices owned by entities who do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest. The actors leverage compromised devices and trusted connections or private interconnections (e.g., provider-to-provider or provider-to-customer links) to pivot into other networks.”They also collected packet captures of authentication traffic, redirected TACACS+ servers, and deployed custom Golang-based SFTP tools (“cmd1,” “cmd3,” “new2,” and “sft”) to monitor traffic and steal data.As many of these vulnerabilities have had fixes available for some time, both the NCSC and NSA urge organizations to prioritize patching devices first, then hardening device configurations, monitoring for unauthorized changes, and turning off unused services.It is also recommended that admins restrict management services to dedicated networks, enforce secure protocols such as SSHv2 and SNMPv3, and disable?The U.S. National Security Agency (NSA), the UK’s National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms.According to the joint advisories [NSA, NCSC], Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have provided cyber products and services to China’s Ministry of State Security and the People’s Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon.Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation, lodging, and military networks worldwide, stealing data that can be used to track targets’ communications and movements worldwide.In particular, over the past couple of years, Salt Typhoon has performed concerted attacks on telecommunication firms to spy on the private communications of individuals worldwide.BleepingComputer contacted the Chinese embassy about these claims and will update the story if we receive a response.Targeting networking equipmentA joint advisory by cyber and intelligence agencies in 13 countries warns that the threat actors have had “considerable success” exploiting widely known and fixed flaws on network edge devices rather than relying on zero-days.These vulnerabilities include:CVE-2024-21887 (Ivanti Connect Secure command injection), CVE-2024-3400 (Palo Alto PAN-OS GlobalProtect RCE), CVE-2023-20273 and CVE-2023-20198 (Cisco IOS XE authentication bypass and privilege escalation) CVE-2018-0171 (Cisco Smart Install RCE). Using these flaws, the threat actors gain access to routing and network devices, allowing them to modify access control lists, enable SSH on non-standard ports, create GRE/IPsec tunnels, and exploit Cisco Guest Shell containers to maintain persistence.”The APT actors may target edge devices regardless of who owns a particular device,” explains the joint report.”Devices owned by entities who do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest. The actors leverage compromised devices and trusted connections or private interconnections (e.g., provider-to-provider or provider-to-customer links) to pivot into other networks.”They also collected packet captures of authentication traffic, redirected TACACS+ servers, and deployed custom Golang-based SFTP tools (“cmd1,” “cmd3,” “new2,” and “sft”) to monitor traffic and steal data.As many of these vulnerabilities have had fixes available for some time, both the NCSC and NSA urge organizations to prioritize patching devices first, then hardening device configurations, monitoring for unauthorized changes, and turning off unused services.It is also recommended that admins restrict management services to dedicated networks, enforce secure protocols such as SSHv2 and SNMPv3, and disable? 

Categories: The U.S. National Security Agency (NSA), the UK’s National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms.According to the joint advisories [NSA, NCSC], Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have provided cyber products and services to China’s Ministry of State Security and the People’s Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon.Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation, lodging, and military networks worldwide, stealing data that can be used to track targets’ communications and movements worldwide.In particular, over the past couple of years, Salt Typhoon has performed concerted attacks on telecommunication firms to spy on the private communications of individuals worldwide.BleepingComputer contacted the Chinese embassy about these claims and will update the story if we receive a response.Targeting networking equipmentA joint advisory by cyber and intelligence agencies in 13 countries warns that the threat actors have had “considerable success” exploiting widely known and fixed flaws on network edge devices rather than relying on zero-days.These vulnerabilities include:CVE-2024-21887 (Ivanti Connect Secure command injection), CVE-2024-3400 (Palo Alto PAN-OS GlobalProtect RCE), CVE-2023-20273 and CVE-2023-20198 (Cisco IOS XE authentication bypass and privilege escalation) CVE-2018-0171 (Cisco Smart Install RCE). Using these flaws, the threat actors gain access to routing and network devices, allowing them to modify access control lists, enable SSH on non-standard ports, create GRE/IPsec tunnels, and exploit Cisco Guest Shell containers to maintain persistence.”The APT actors may target edge devices regardless of who owns a particular device,” explains the joint report.”Devices owned by entities who do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest. The actors leverage compromised devices and trusted connections or private interconnections (e.g., provider-to-provider or provider-to-customer links) to pivot into other networks.”They also collected packet captures of authentication traffic, redirected TACACS+ servers, and deployed custom Golang-based SFTP tools (“cmd1,” “cmd3,” “new2,” and “sft”) to monitor traffic and steal data.As many of these vulnerabilities have had fixes available for some time, both the NCSC and NSA urge organizations to prioritize patching devices first, then hardening device configurations, monitoring for unauthorized changes, and turning off unused services.It is also recommended that admins restrict management services to dedicated networks, enforce secure protocols such as SSHv2 and SNMPv3, and disable? 

Tags: The U.S. National Security Agency (NSA), the UK’s National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms.According to the joint advisories [NSA, NCSC], Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have provided cyber products and services to China’s Ministry of State Security and the People’s Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon.Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation, lodging, and military networks worldwide, stealing data that can be used to track targets’ communications and movements worldwide.In particular, over the past couple of years, Salt Typhoon has performed concerted attacks on telecommunication firms to spy on the private communications of individuals worldwide.BleepingComputer contacted the Chinese embassy about these claims and will update the story if we receive a response.Targeting networking equipmentA joint advisory by cyber and intelligence agencies in 13 countries warns that the threat actors have had “considerable success” exploiting widely known and fixed flaws on network edge devices rather than relying on zero-days.These vulnerabilities include:CVE-2024-21887 (Ivanti Connect Secure command injection), CVE-2024-3400 (Palo Alto PAN-OS GlobalProtect RCE), CVE-2023-20273 and CVE-2023-20198 (Cisco IOS XE authentication bypass and privilege escalation) CVE-2018-0171 (Cisco Smart Install RCE). Using these flaws, the threat actors gain access to routing and network devices, allowing them to modify access control lists, enable SSH on non-standard ports, create GRE/IPsec tunnels, and exploit Cisco Guest Shell containers to maintain persistence.”The APT actors may target edge devices regardless of who owns a particular device,” explains the joint report.”Devices owned by entities who do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest. The actors leverage compromised devices and trusted connections or private interconnections (e.g., provider-to-provider or provider-to-customer links) to pivot into other networks.”They also collected packet captures of authentication traffic, redirected TACACS+ servers, and deployed custom Golang-based SFTP tools (“cmd1,” “cmd3,” “new2,” and “sft”) to monitor traffic and steal data.As many of these vulnerabilities have had fixes available for some time, both the NCSC and NSA urge organizations to prioritize patching devices first, then hardening device configurations, monitoring for unauthorized changes, and turning off unused services.It is also recommended that admins restrict management services to dedicated networks, enforce secure protocols such as SSHv2 and SNMPv3, and disable? 

Leave a Reply

Your email address will not be published. Required fields are marked *