The Chinese language state-sponsored Salt Storm hacking group makes use of a customized utility referred to as JumbledPath to stealthily monitor community visitors and doubtlessly seize delicate knowledge in cyberattacks on U.S. telecommunication suppliers.
Salt Storm (aka Earth Estries, GhostEmperor, and UNC2286) is a complicated hacking group energetic since not less than 2019, primarily specializing in breaching authorities entities and telecommunications corporations.
Not too long ago, the U.S. authorities have confirmed that Salt Storm was behind a number of profitable breaches of telecommunication service suppliers within the U.S., together with Verizon, AT&T, Lumen Applied sciences, and T-Cellular.
It was later revealed that Salt Storm managed to faucet into the personal communications of some U.S. authorities officers and stole info associated to court-authorized wiretapping requests.
Final week, the Recorded Future’s Insikt Group reported that Salt Storm focused over 1,000 Cisco community units, greater than half from the U.S., South America, and India, between December 2024 and January 2025,
At this time, Cisco Talos revealed extra particulars in regards to the menace actor’s exercise after they breached main telecommunications corporations within the U.S., which in some instances spanned over three years.
Salt Storm’s techniques
Cisco says Salt Storm hackers infiltrated core networking infrastructure primarily by stolen credentials. Aside from a single case involving exploitation of the Cisco CVE-2018-0171 flaw, the cybersecurity firm has seen no different flaws, identified or zero-days, being exploited on this marketing campaign.
“No new Cisco vulnerabilities had been found throughout this marketing campaign,” states Cisco Talos in its report. “Whereas there have been some stories that Salt Storm is abusing three different identified Cisco vulnerabilities, now we have not recognized any proof to substantiate these claims.”
Whereas Salt Storm primarily gained entry to focused networks utilizing stolen credentials, the precise methodology of acquiring the credentials stays unclear.
As soon as inside, they expanded their entry by extracting extra credentials from community gadget configurations and intercepting authentication visitors (SNMP, TACACS, and RADIUS).
Additionally they exfiltrated gadget configurations over TFTP and FTP to facilitate lateral motion, which contained delicate authentication knowledge, weakly encrypted passwords, and community mapping particulars.
The attackers demonstrated superior strategies for persistent entry and evasion, together with often pivoting between totally different networking units to cover their traces and utilizing compromised edge units to pivot into associate telecom networks.
The menace actors had been additionally noticed modifying community configurations, enabling Visitor Shell entry to execute instructions, altering entry management lists (ACLs), and creating hidden accounts.
Supply: Cisco
The customized JumbledPath malware
A main part of the Salt Storm assaults was monitoring community exercise and stealing knowledge utilizing packet-capturing instruments like Tcpdump, Tpacap, Embedded Packet Seize, and a customized software referred to as JumbledPath.
JumpedPath is a Go-based ELF binary constructed for x86_64 Linux-based techniques that allowed it to run on a wide range of edge networking units from totally different producers, together with Cisco Nexus units.
JumbledPath allowed Salt Storm to provoke packet seize on a focused Cisco gadget through a jump-host, an middleman system that made the seize requests seem as in the event that they originate from a trusted gadget contained in the community whereas additionally obfuscating the attacker’s true location.
Supply: Cisco
The identical software may additionally disable logging and clear current logs to erase traces of its exercise and make forensic investigations harder.
Cisco lists a number of suggestions to detect Salt Storm exercise, corresponding to monitoring for unauthorized SSH exercise on non-standard ports, monitoring log anomalies, together with lacking or unusually massive ‘.bash_history’ recordsdata, and inspecting for surprising configuration modifications.
Over the previous couple of years, Chinese language menace actors have more and more focused edge networking units to put in customized malware that permits them to watch community communications, steal credentials, or act as proxy servers for relayed assaults.
These assaults have focused well-known producers, together with Fortinet, Barracuda, SonicWall, Verify Level, D-Hyperlink, Cisco, Juniper, NetGear, and Sophos.
Whereas many of those assaults exploited zero-day vulnerabilities, different units had been breached by compromised credentials or older vulnerabilities. Subsequently, admins should apply patches to edge networking units as quickly as they’re accessible.
