Cisco Confirms Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks

Avatar
Cisco has confirmed that a Chinese threat actor known as Salt Typhoon gained access by likely abusing a known security flaw tracked as CVE-2018-0171, and by obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies. “The threat actor then demonstrated their ability to persist in target environments across equipment from multiple

Cisco has confirmed that a Chinese threat actor known as Salt Typhoon gained access by likely abusing a known security flaw tracked as CVE-2018-0171, and by obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies.

“The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years,” Cisco Talos said, describing the hackers as highly sophisticated and well-funded.

“The long timeline of this campaign suggests a high degree of coordination, planning, and patience — standard hallmarks of advanced persistent threat (APT) and state-sponsored actors.”

The networking equipment major said it found no evidence that other known security bugs have been weaponized by the hacking crew, contrary to a recent report from Recorded Future that revealed exploitation attempts involving flaws tracked as CVE-2023-20198 and CVE-2023-20273 to infiltrate networks.

An important aspect of the campaign is the use of valid, stolen credentials to gain initial access, although the manner in which they are acquired is unknown at this stage. The threat actor has also been observed making efforts to get hold of credentials via network device configurations and deciphering local accounts with weak password types.

“In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers,” Talos noted. “The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use.”

Another noteworthy behavior exhibited by Salt Typhoon entails leveraging living-off-the-land (LOTL) techniques on network devices, abusing the trusted infrastructure as pivot points to jump from one telecom to another.

It’s suspected that these devices are being used as intermediate relays to reach the intended final target or as a first hop for outbound data exfiltration operations, as it offers a way for the adversary to remain undetected for extended periods of time.

Furthermore, Salt Typhoon has been spotted altering network configurations to create local accounts, enable Guest Shell access, and facilitate remote access via SSH. Also put to use is a bespoke utility named JumbledPath that allows them to execute a packet capture on a remote Cisco device through an actor-defined jump-host.

The Go-based ELF binary is also capable of clearing logs and disabling logging in an attempt to obfuscate traces of the malicious activity and make forensic analysis more difficult. This is supplemented by periodic steps undertaken to erase relevant logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable.

“The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure,” Cisco noted.

“The threat actor repeatedly modified the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to additional devices within the target environment, allowing them to effectively bypass access control lists (ACLs) in place on those devices.”

The company said it also identified “additional pervasive targeting” of Cisco devices with exposed Smart Install (SMI), followed by the exploitation of CVE-2018-0171. The activity, it pointed out, is unrelated to Salt Typhoon and does not share overlaps with any known threat actor or group.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks

Next Post

AI-Powered Deception is a Menace to Our Societies

Related Posts

New Malware Campaign Uses Cracked Software to Spread Lumma and ACR Stealer

Cybersecurity researchers are warning of a new campaign that leverages cracked versions of software as a lure to distribute information stealers like Lumma and ACR Stealer. The AhnLab Security Intelligence Center (ASEC) said it has observed a spike in the distribution volume of ACR Stealer since January 2025. A notable aspect of the stealer malware is the use of a technique called dead drop
Avatar
Read More

Dark Caracal Uses Poco RAT to Target Spanish-Speaking Enterprises in Latin America

The threat actor known as Dark Caracal has been attributed to a campaign that deployed a remote access trojan called Poco RAT in attacks targeting Spanish-speaking targets in Latin America in 2024. The findings come from Russian cybersecurity company Positive Technologies, which described the malware as loaded with a "full suite of espionage features." "It could upload files, capture screenshots
Avatar
Read More