New research from Talos Intelligence, Cisco’s cybersecurity subsidiary, finds that the Salt Typhoon campaign has largely been fueled by stolen login credentials. The attackers did abuse at least one known Cisco bug, but for the most part have been stealing these credentials by capturing device configurations that contain authentication materials and probing for weak password encryption.
Cisco bugs not the primary focus of Chinese hackers
Talos confirms that at least one known Cisco bug, CVE-2018-0171, was likely to have been actively exploited by Salt Typhoon. But the researchers say that the primary approach was to target legitimate existing credentials, likely through a variety of methods. No new Cisco vulnerabilities were discovered during the course of the research.
The researchers say that they cannot account for how all of the credentials used in these attacks were taken, but have observed some activity indicating that one technique is to obtain network device configurations and plumb them for weak encryption of credentials that can be taken offline to be cracked. The attackers have also been seen targeting SNMP, TACACS, and RADIUS traffic with the goal of obtaining secret keys used between network devices and TACACS/RADIUS servers.
Once inside networks, Salt Typhoon frequently moves from machine to machine through compromised infrastructure. This serves the purpose of cloaking their activity from network defense monitoring, and that a number of these machines are merely used as “hop points” prior to reaching the real target.
The researchers note that three other Cisco bugs that have been reported by third-party sources as being exploited (CVE-2023-20198, CVE-2023-20273 and CVE-2024-20399) have not been observed in use by Salt Typhoon, but should nevertheless be patched as soon as possible as other threat actors are aware of them and regularly target them.
Salt Typhoon uses custom malware, actively clears logs to cover its tracks
One of the highlights of the report, at least from a detection and identification perspective, is the revelation that Salt Typhoon uses custom malware called “JumbledPath” to monitor network traffic and exfiltrate data of interest. The malware is a Go-based ELF binary that targets a broad range of Linux-based systems, allowing it to function on a variety of edge networking devices (including Cisco products such as the Nexus series). The tool also has robust capability to monitor and disable logging activity and clear existing logs of indications of the group’s presence.
Talos noted that the one Cisco bug that Salt Typhoon was observed exploiting, found in Cisco IOS XE, has been documented for seven years and long had a security patch available. While the report does not necessarily absolve the company of responsibility, it does highlight the fact that timely patching remains a common problem even among major telcos, ISPs and other components of critical infrastructure known to be highly targeted by the world’s most advanced state-sponsored threat actors.
Edge devices have become a point of focus since 2023, as state-backed hackers like Salt Typhoon have noticed that they are often poorly monitored by endpoint detection and can sit unpatched for long periods. This approach usually eschews phishing in favor of exploiting known and documented issues similar to the Cisco bugs noted in the Talos report. Further research into the other routers and equipment said to have been exploited during this campaign may well yield more information about how the Chinese hackers were finding their way into all of these high-profile systems.
In the meantime, Talos provides some detection and prevention advice that stretches beyond addressing specific Cisco bugs. The researchers recommend monitoring specifically for gaps in logging or decreases in normal activity, unusual changes in configurations or behavior, and for non-empty or unusually large .bash_history files among other forensic techniques.
Cisco-specific preventive measures include disabling underlying non-encrypted web servers (or all underlying web servers if web management is not required), ensuring telnet is not available on any Virtual Teletype (VTY) devices, and disabling the Cisco Smart Install service. Aside from patching and implementing MFA, more general preventive measures include disabling all non-encrypted web management capabilities, verifying existence and correctness of access control lists for all management protocols, and aggressively monitoring credential systems such as TACACS+ and any jump hosts.
Darren Guccione, CEO and Co-Founder at Keeper Security, notes that lateral movement needs to be a point of particular focus when dealing with threat groups of this type: “Salt Typhoon’s campaign is a clear reminder that identity security is central to cyber resilience. Stolen credentials enabled the group to persist in networks for years, highlighting the need for strong password policies, enterprise password management and multi-factor authentication. But stopping credential theft isn’t enough – organizations must also ensure that attackers can’t escalate privileges or move laterally once inside. Beyond credential theft, the fact that Salt Typhoon exploited an unpatched vulnerability from 2018 exemplifies how outdated systems can become long-term liabilities. Effective cybersecurity isn’t just about sealing off the front door – it requires vigilance in closing known security gaps and limiting damage when defenses fail. Telecom providers and other critical infrastructure must take a layered approach that includes zero trust, least-privilege access and Privileged Access Management (PAM). PAM helps restrict lateral movement by securing and limiting access to critical systems, making it significantly harder for attackers to persist and minimizing the impact of a breach. By securing critical accounts and restricting lateral movement, organizations can make it significantly harder for adversaries to maintain control over time.”
Rom Carmel, Co-Founder and CEO at Apono, adds that this is yet another call to examine legacy hardware and seriously consider replacement: “This incident serves as yet another wake-up call for the industry: Legacy security gaps are still being exploited, and traditional perimeter-based defenses are no longer enough. Time and again, we see everyone from criminal gangs to APTs using tried-and-true methods like stolen credentials and known vulnerabilities to gain footholds, escalate privileges, and access sensitive resources. As organizations expand their cloud footprint, their identity attack surface grows, offering hackers more opportunities to exploit security gaps. Organizations must take a proactive stance in securing identities, enforcing least privilege, and ensuring that known vulnerabilities from the last decade do not remain an open door for attackers to exploit. By automating access controls and enforcing least privilege, organizations can reduce team workloads and achieve the greatest impact on security.”
