China-linked threat actors have breached several U.S. internet service providers in recent months as part of a cyber espionage campaign code-named Salt Typhoon.<\/p>\n\n\n\n
The state-sponsored hackers aimed at gathering intelligence from the targets or carrying out disruptive cyberattacks. <\/p>\n\n\n\n
The Wall Street Journal\u00a0reported<\/a>\u00a0that experts are investigating into the security breached to determine if the attackers gained access to\u00a0Cisco Systems\u00a0routers, which are core network components of the ISP infrastructures. <\/p>\n\n\n\n
The cyber campaign is attributed to the China-linked APT group Salt Typhoon, which is also known as\u00a0FamousSparrow<\/a>\u00a0and GhostEmperor<\/a>.<\/p>\n\n\n\n
“Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.” Wall Street Journal\u00a0reported<\/a>.<\/em><\/p>\n\n\n\n
“The hacking campaign, called Salt Typhoon by investigators, hasn\u2019t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success\u00a0Beijing\u2019s massive digital army of cyberspies<\/a>\u00a0has had breaking into valuable computer networks in the U.S. and around the globe.”<\/em>
The Salt Typhoon hacking campaign, linked to China, appears focused on intelligence gathering rather than crippling infrastructure, unlike the attacks carried out by another China-linked APT group called Volt Typhoon<\/a>. Chris Krebs from SentinelOne suggested that the group behind Salt Typhoon may be affiliated with China\u2019s Ministry of State Security, specifically the APT40<\/a> group, which specializes in intelligence collection. This group was publicly called out by the U.S. and its allies for hacking activities in July.<\/p>\n\n\n\n
Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group\u00a0Velvet Ant<\/a>\u00a0exploited to deploy previously unknown malware as root on vulnerable switches.
\u201cSygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a \u2018zero-day\u2019 and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group \u2013 dubbed \u2018Velvet Ant\u2019 \u2013 successfully executed commands on the underlying operating system of Cisco Nexus devices.\u201d reads the\u00a0report<\/strong><\/a>\u00a0published by Sygnia. \u201cThis exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.\u201c<\/em><\/p>\n\n\n\n
In August, Volexity researchers reported<\/a> that a China-linked APT group, tracked as StormBamboo (aka\u00a0Evasive Panda<\/a>,\u00a0Daggerfly<\/a>, and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations.<\/p>\n\n\n\n
In mid-2023, Volexity discovered multiple malware infections affecting macOS and Windows systems within victim organizations. The company linked the attacks to StormBamboo APT group. Upon investigating the incidents, the researchers determined that a DNS poisoning attack at the ISP level caused the infection. The attackers altered DNS responses for domains related to software updates to deploy multiple malware families, including MACMA<\/a> and POCOSTICK<\/a> (MGBot). The attacker\u2019s methods resemble those of DriftingBamboo, suggesting a possible connection between the two threat actors.<\/p>\n\n\n\n
The Macma macOS backdoor was first detailed by Google in 2021<\/a> and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability CVE-2021-30869<\/a> to install Macma on macOS devices.<\/p>\n\n\n\n
\u201cDuring one incident investigated by Volexity, it was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers.\u201d reads the report<\/a> published by Volexity. \u201cThe DNS records were poisoned to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130[.]107<\/code>. Initially, Volexity suspected the initial victim organization\u2019s firewall may have been compromised. However, further investigation revealed the DNS poisoning was not performed within the target infrastructure, but further upstream at the ISP level.\u201d<\/em><\/p>\n\n\n\n