[German]The US National Security Agency (NSA) and other US and foreign organizations have issued a security alert. Cyber groups such as Salt Typhoon, which are supported by the Chinese government, are attacking networks worldwide in the areas of telecommunications, government, transportation, hospitality, and military infrastructure.
The actors behind advanced persistent threats (APTs) have been successfully identified. These actors are supported by the Chinese government and target networks worldwide in the telecommunications, government, transportation, hospitality, and military infrastructure sectors.
According to the warnings, these activities are linked to several China-based companies, including Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. These companies provide cyber products and related services to the Chinese Ministry of State Security and the People's Liberation Army. The group being targeted is Salt Typhoon, which has been linked to attacks on networks.
Extensive information from CISA
The US security agency CISA refers to the relevant warning Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System (37-page PDF) in the following tweet (and on this page).
The comprehensive PDF document also contains a list of appropriate risk mitigation measures. The CISA advisory linked above states that the following vulnerabilities, among others, are being exploited:
- CVE-2024-21887: Ivanti Connect Secure and Ivanti Policy Secure web-component command injection vulnerability, commonly chained after CVE-2023-46805 (authentication bypass)
- CVE-2024-3400: Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection. The CVE allows for unauthenticated remote code execution (RCE) on firewalls when GlobalProtect is enabled on specific versions/configurations.
- CVE-2023-20273: Cisco Internetworking Operating System (IOS) XE software web management user interface post-authentication command injection/privilege escalation (commonly chained with CVE-2023-20198 for initial access to achieve code execution as root) [T1068]
- CVE-2023-20198: Cisco IOS XE web user interface authentication bypass vulnerability
- CVE-2018-0171: Cisco IOS and IOS XE smart install remote code execution vulnerability
These vulnerabilities allow attackers to gain access to routing and network devices, enabling them to modify access control lists, enable SSH on non-standard ports, create GRE/IPsec tunnels, and exploit Cisco Guest Shell containers to maintain their presence.
Mandiant notes on the attacks
The Google-affiliated security provider Mandiant sent me a statement yesterday evening with its own findings. According to this statement, Mandiant was involved in the lengthy and challenging operation to force this actor out of global telecommunications systems.
Although there are many Chinese cyber espionage actors who regularly target the telecommunications sector, Mandiant says that this actor's (Salt Typhoon) familiarity with telecommunications systems gives it a unique advantage, especially when it comes to avoiding detection.
Many of the particularly successful Chinese cyber espionage actors encountered by Mandiant security researchers during hacks have in-depth expertise in the technologies used by their targets. This gives the attackers a clear advantage.
Mandiant has added another interesting aspect: An ecosystem of contractors, academics, and other supporters from China forms the core of Chinese cyber espionage. Contractors are used to develop tools and valuable exploits, as well as to carry out the dirty work of intrusion operations. This has been crucial to the rapid advancement of these operations and their expansion to unprecedented levels.
"In addition to telecommunications, the reported targeting of the hospitality and transportation sectors could be used to closely monitor individuals. Information from these industries can be used to build a complete picture of who someone is talking to, where they are, and where they are going," says John Hultquist, chief analyst at Google Threat Intelligence Group.
