No Cisco Zero-Day Vulnerabilities Exploited in Salt Typhon Telecom Hacks

A recent analysis by Cisco’s Talos unit confirms that Chinese state-sponsored hackers employed a custom-built utility to infiltrate U.S. telecommunications, targeting sensitive governmental and political figures. The primary vulnerability exploited appears to be known, specifically Cisco’s “Smart Install” feature, which has been highlighted as a potential vector for security breaches over the past several years.

Cisco’s report asserts that the hackers, linked to the so-called Salt Typhoon campaign, relied mostly on stolen legitimate credentials and techniques that allow for lateral movement within compromised networks. These attackers utilized a combination of existing vulnerabilities and living-off-the-land strategies instead of relying solely on newly discovered exploits.

While they only utilized one known Cisco vulnerability, the findings contradict previous analyses, such as a recent Recorded Future report suggesting that more recent vulnerabilities, CVE-2023-20198 and CVE-2023-20273, were also leveraged in U.S. telecom breaches. The discrepancies in findings indicate a need for further investigation into the methods employed by the attackers.

The Salt Typhoon initiative has underscored the vulnerabilities prevalent within the telecommunications sector, particularly regarding the susceptibility of network edge devices. According to Biden administration officials, the hackers systematically intercepted communications involving high-profile political candidates and their associates, demonstrating a comprehensive breach of privacy surrounding metadata linked to voice and text messaging.

Cisco’s assertion that no new vulnerabilities were exploited during this campaign attempts to mitigate potential damage to its reputation. Talos pointedly refutes claims of multiple Cisco vulnerabilities being abused and encourages telecom companies to adopt best practices for securing their network infrastructure.

Crucially, the custom utility known as “JumbledPath” was pivotal for the hackers, enabling them to capture network traffic and gather sensitive data. This tool, discovered running on compromised Cisco Nexus devices, facilitated efficient movement through various network sectors by disabling logging and erasing existing logs, which complicates subsequent forensic investigations.

Given these developments, cybersecurity experts warn of the implications for network security, urging system administrators to patch the identified “Smart Install” vulnerability to prevent further unauthorized access. The warning is clear: even devices that don’t actively handle traffic can serve as entry points for attackers, necessitating immediate and decisive action.

With the increasing sophistication of cyber-espionage campaigns, businesses must remain vigilant and proactive in their cybersecurity defenses, aligning their strategies with frameworks like the MITRE ATT&CK Matrix. This ensures they are prepared for a range of tactics, including initial access, privilege escalation, and lateral movement, as demonstrated in the Salt Typhoon case.