Cisco Confirms Salt Typhoon Exploitation in Telecom Hits
In addition to using CVE-2018-0171 and other Cisco bugs to break into telecom networks, the China-sponsored APT is also using using stolen login credentials for initial access.
Coverage examines reports on Salt Typhoon, an alleged intrusion set, including infrastructure, disruption, and defensive guidance.
Search across headline titles and summaries.
Background for this topic.
Salt Typhoon is a name used by security researchers and government agencies for a suspected intrusion set linked in public reporting to compromises of telecommunications and other communications infrastructure. Reported incidents have involved access to provider networks and systems that could expose subscriber information, call-detail records, or communications-related data; the scope and attribution of individual cases remain subject to investigation.
The main security concern is prolonged access to high-value network environments, including internet-facing appliances, administrative systems, and monitoring or lawful-intercept infrastructure. Telecommunications operators and connected organizations should inventory and promptly patch exposed devices, restrict management access, enforce multifactor authentication, segment sensitive systems, rotate potentially exposed credentials, and retain authentication and network telemetry for threat hunting. Investigations should examine persistence and lateral movement rather than treating removal of one account or device as sufficient. Because communications data is highly sensitive, suspected access also warrants careful privacy assessment, evidence preservation, and coordination with applicable disclosure and regulatory processes.
Weekly headline count for the current query.
In addition to using CVE-2018-0171 and other Cisco bugs to break into telecom networks, the China-sponsored APT is also using using stolen login credentials for initial access.
Cisco has confirmed that a Chinese threat actor known as Salt Typhoon gained access by likely abusing a known security flaw tracked as CVE-2018-0171, and by obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies