A Chinese threat group, Salt Typhoon, has deeply penetrated government, telco, and military networks in 80+ countries – and woeful security hygiene has frequently made life extraordinarily easy for its hackers.

 “Weak credentials, such as “cisco” as the username and password, are routinely exploited” said a coalition of 23 cybersecurity agencies from Canada, Finland, Germany, Japan, the UK, US, and beyond on August 27.

The agencies from 12 nations (also including the Czech Republic, Italy, Netherlands, Poland, and Spain), have joined forces to urge threat hunting in a report that mentions “Cisco” no fewer than 49 times; efforts to harden all Cisco-related environments appear crucial for network defenders. 

The guidance comes after the NSA in December 2024 emphasised that the same threat group was abusing "Cisco-specific features" rather than vulnerabilities, in attacks that Senate Intelligence Committee chairman, Mark Warner, said were “the worst in our nation’s history… my hair’s on fire.”

Cisco-specific recommendations

The agencies called for defenders to:

Disable the Cisco Smart Install feature.

Store credentials using strong cryptography.

Protect local credentials on Cisco networking devices using Type 8 (PBKDF2-SHA-256) where supported.

Do not use Type 7 and transition from Type 5 (MD5) when possible and use Type 6 (AES) key encryption to protect stored secrets (e.g.,TACACS+/RADIUS shared secrets or IKE PSKs).

Disable outbound connections from the VTYs (e.g., transport output none). This prevents initiating SSH, Telnet, or other client sessions from the device via VTY, reducing its utility as a jump host. Monitor for any changes to this setting.

Audit for unexpected enablement of IOS XR host SSH (sshd_operns) on TCP/57722. This is disabled by default, but has been observed being enabled by actors for persistence.

When not required, disable the web configuration interface on applicable Cisco networking devices by running no ip http server and no ip http secure server.

If management via a web interface is required, ensure to enable only the HTTPS management interface by running the command ip http secureserver and keep no ip http server configured to prevent unencrypted access via HTTP.

Ensure a final deny any any log line is added to all configured ACLs. This ensures that the denied connections are logged so they could be reviewed at a later date

Join peers following The Stack on LinkedIn

Notably the APT appears to have had striking success without exploiting zero days and at least one infosec critic fumed in response to the report that “They're literally following a 20 year old [offensive] playbook. Tells you all you need to know about the defensive posture of these telcos and the real geniuses that are provisioning and managing these assets…” 

The report was “deeply informed by government and industry investigations” and published with the intent to “educate and equip network defenders to mitigate and prevent Salt Typhoon activity…”

See also: CVSS 9.9. Static credentials. In your cloud. Cisco WTF, again?

The agencies said that the nation state-backed threat group has been seen successfully exploiting known but unpatched Cisco, Ivanti, Palo Alto Networks and other network appliance vulnerabilities – adding “the authoring agencies suspect that the APT actors may target other devices (e.g., Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc.)”

However, the agencies warned that they’d like to see more intelligence from industry defenders: “Initial access vectors remain a critical information gap for parties working to understand the scope, scale, and impact of the actors’ malicious activity. The authoring agencies encourage organizations to provide compromise details to appropriate authorities to continue improving all parties’ understanding and responses,” they urged.

Salt Typhoon persistence

Among other persistence techniques, Salt Typhoon has been seen “Running commands in an on-box Linux container on supported Cisco networking devices to stage tools, process data locally, and move laterally within the environment. This often allows the APT actors to conduct malicious activities undetected because activities and data within the container are not monitored closely,” the advisory emphasised. 

The APT is also using “open source multi-hop pivoting tools, such as STOWAWAY, to build chained relays for … C2 and operator access, including interactive remote shells, file upload and download, SOCKS5/HTTP proxying, and local/remote port mapping with support for forward and reverse connections over encrypted node-to-node links.”

The APT often conceals data theft “within the noise of high-traffic nodes, such as proxies and Network Address Translation (NAT) pools [and uses] tunnels, such IPsec and GRE, to conduct C2 and exfiltration activities.”

A full and detailed list of IOCs and hardening measures is in the report.

See also: JPMorgan’s Group CISO blasts “dangerous concentration risk” of SaaS







The link has been copied!