Chinese state-sponsored hackers, Salt Typhoon, used the JumbledPath utility in their attacks against US telecommunication providers to stealthily monitor network traffic and potentially steal sensitive data, a new Cisco report revealed.
In the report published by Cisco Talos on February 20, the researchers confirmed Salt Typhoon gained access to core networking infrastructure through Cisco devices and then used that infrastructure to collect a variety of information.
The typical approach of Salt Typhoon to gain initial access to Cisco devices was through the threat actor obtaining legitimate victim login credentials using living-off-the-land (LOTL) techniques on network devices.
One of the main revelations of the report was that Salt Typhoon used JumbledPath, a custom-built utility allowing the threat actor to execute a packet capture on a remote Cisco device through an actor-defined jump host.
Salt Typhoon Techniques, Tactics and Procedures
According to Cisco Talos, Salt Typhoon used stolen credentials and actively tried to steal more by targeting weak password storage, network device configurations and capturing authentication traffic.
The group stole device configurations, often via TFTP/FTP, to gain access to sensitive information like SNMP strings and weakly encrypted passwords, which could then be easily decrypted, and to understand network topology for further attacks.
JumbledPath, a utility written in Go and compiled as an ELF binary using an x86-64 architecture, was found in actor-configured Guest Shell instances on Cisco Nexus devices.
Guest Shell is a Linux-based virtual environment that runs on Cisco devices and allows users to execute Linux commands and utilities.
It was used to modify network device configurations, attempt to clear logs, impair logging along the jump path and return the resultant compressed, encrypted capture via another unique series of actor-defined connections or jumps.
“This allowed the threat actor to create a chain of connections and perform the capture on a remote device,” the Talos researchers said.
“The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure.”
No tags.
