{"id":168941,"date":"2024-09-26T14:04:10","date_gmt":"2024-09-26T14:04:10","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=168941"},"modified":"2024-09-26T14:04:12","modified_gmt":"2024-09-26T14:04:12","slug":"salt-typhoon-china-linked-threat-actors-breached-us-isp","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/168941\/apt\/salt-typhoon-china-linked-threat-actors-breached-us-isp.html","title":{"rendered":"China-linked APT group Salt Typhoon compromised some U.S. internet service providers (ISPs)"},"content":{"rendered":"
<\/div>\n

China-linked threat actors compromised some U.S. internet service providers (ISPs) as part of a cyber espionage campaign code-named Salt Typhoon. <\/h2>\n\n\n\n

China-linked threat actors have breached several U.S. internet service providers in recent months as part of a cyber espionage campaign code-named Salt Typhoon.<\/p>\n\n\n\n

The state-sponsored hackers aimed at gathering intelligence from the targets or carrying out disruptive cyberattacks. <\/p>\n\n\n\n

The Wall Street Journal\u00a0reported<\/a>\u00a0that experts are investigating into the security breached to determine if the attackers gained access to\u00a0Cisco Systems\u00a0routers, which are core network components of the ISP infrastructures. <\/p>\n\n\n\n

A Cisco spokeswoman confirmed the investigation and said that \u201cat this time, there is no indication that Cisco routers are involved\u201d in the Salt Typhoon activity, the spokeswoman said.<\/gwmw><\/p>\n\n\n\n

The cyber campaign is attributed to the China-linked APT group Salt Typhoon, which is also known as\u00a0FamousSparrow<\/a>\u00a0and GhostEmperor<\/a>.<\/p>\n\n\n\n

“Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.” Wall Street Journal\u00a0reported<\/a>.<\/em><\/p>\n\n\n\n

“The hacking campaign, called Salt Typhoon by investigators, hasn\u2019t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success\u00a0Beijing\u2019s massive digital army of cyberspies<\/a>\u00a0has had breaking into valuable computer networks in the U.S. and around the globe.”<\/em><\/gwmw><\/p>\n\n\n\n

China has long targeted global internet service providers and recent attacks are aligned with past operations linked to Beijing.<\/p>\n\n\n\n

Intelligence and cybersecurity experts warn that Chinese nation-state actors have shifted from stealing secrets to infiltrate critical U.S. infrastructure, suggesting that they are now targeting the core of America’s digital networks.<\/p>\n\n\n\n

The Salt Typhoon hacking campaign, linked to China, appears focused on intelligence gathering rather than crippling infrastructure, unlike the attacks carried out by another China-linked APT group called Volt Typhoon<\/a>. Chris Krebs from SentinelOne suggested that the group behind Salt Typhoon may be affiliated with China\u2019s Ministry of State Security, specifically the APT40<\/a> group, which specializes in intelligence collection. This group was publicly called out by the U.S. and its allies for hacking activities in July.<\/p>\n\n\n\n

In July, Cisco fixed an actively exploited NX-OS zero-day that was exploited to install previously unknown malware as root on vulnerable switches.<\/p>\n\n\n\n

Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group\u00a0Velvet Ant<\/a>\u00a0exploited to deploy previously unknown malware as root on vulnerable switches.<\/gwmw><\/p>\n\n\n\n

Cybersecurity firm Sygnia observed the attacks on April 2024 and reported them to Cisco.<\/p>\n\n\n\n

\u201cSygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a \u2018zero-day\u2019 and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group \u2013 dubbed \u2018Velvet Ant\u2019 \u2013 successfully executed commands on the underlying operating system of Cisco Nexus devices.\u201d reads the\u00a0report<\/strong><\/a>\u00a0published by Sygnia. \u201cThis exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.\u201c<\/em><\/p>\n\n\n\n

In August, Volexity researchers reported<\/a> that a China-linked APT group, tracked as StormBamboo (aka\u00a0Evasive Panda<\/a>,\u00a0Daggerfly<\/a>, and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations.<\/p>\n\n\n\n

The threat actors targeted insecure software update mechanisms to install malware on macOS and Windows victim machines.<\/p>\n\n\n\n

In mid-2023, Volexity discovered multiple malware infections affecting macOS and Windows systems within victim organizations. The company linked the attacks to StormBamboo APT group. Upon investigating the incidents, the researchers determined that a DNS poisoning attack at the ISP level caused the infection. The attackers altered DNS responses for domains related to software updates to deploy multiple malware families, including MACMA<\/a> and POCOSTICK<\/a> (MGBot). The attacker\u2019s methods resemble those of DriftingBamboo, suggesting a possible connection between the two threat actors.<\/p>\n\n\n\n

Daggerfly has been active for at least a decade, the group is known for the use of the custom MgBot malware framework. In 2023, Symantec identified a Daggerfly intrusion at an African telecom operator, using new MgBot plugins. This highlights the group\u2019s ongoing evolution in cyber espionage tactics.<\/p>\n\n\n\n

The Macma macOS backdoor was first detailed by Google in 2021<\/a> and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability CVE-2021-30869<\/a> to install Macma on macOS devices.<\/p>\n\n\n\n

Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files.<\/p>\n\n\n\n

Although Macma was widely used in cyber operations carried out by nation-state actors, it was not linked to a particular group.<\/p>\n\n\n\n

\u201cDuring one incident investigated by Volexity, it was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers.\u201d reads the report<\/a> published by Volexity. \u201cThe DNS records were poisoned to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130[.]107<\/code>. Initially, Volexity suspected the initial victim organization\u2019s firewall may have been compromised. However, further investigation revealed the DNS poisoning was not performed within the target infrastructure, but further upstream at the ISP level.\u201d<\/em><\/p>\n\n\n\n

Volexity promptly alerted the ISP, which then investigated key traffic-routing devices on their network. After rebooting and taking parts of the network offline, the DNS poisoning stopped. The researchers were not able to identify a specific compromised device, however, updating or deactivating various infrastructure components effectively ended the malicious activity.<\/p>\n\n\n\n

\u201cThe logic behind the abuse of automatic updates is the same for all the applications: the legitimate application performs an HTTP request to retrieve a text-based file (the format varies) containing the latest application version and a link to the installer.\u201d continues the report. \u201cSince the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer. The AiTM workflow is shown below.\u201d<\/em><\/p>\n\n\n\n

\"StormBamboo\"<\/a><\/figure>\n\n\n\n

StormBamboo targeted various software vendors with insecure update mechanisms, using complex methods to deploy malware. For example, they targeted 5KPlayer\u2019s update process for the \u201cyoutube-dl\u201d dependency to deliver a backdoored installer from their C2 servers. Once compromised systems, the attackers installed a malicious Google Chrome extension called ReloadText to steal browser cookies and email data.<\/p>\n\n\n\n

In June 2019, researchers at Cybereason uncovered<\/strong><\/a> an ongoing long-running espionage campaign, tracked as Operation Soft Cell, that targets telco providers. Tactics, techniques, and procedures, and the type of targets suggest the involvement of a nation-state actor likely linked to Chinese\u00a0APT10<\/a>.<\/p>\n\n\n\n

Once compromised the networks of telecommunication companies, attackers can access to mobile phone users\u2019 call data records.<\/p>\n\n\n\n

\u201cBased on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers. The attack was aiming to obtain CDR records of a large telecommunications provider.\u201d reads the\u00a0<\/em>report<\/em><\/a>\u00a0published by Cybereason.<\/em><\/gwmw><\/p>\n\n\n\n

\u201cThe threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.\u201d<\/em><\/gwmw><\/p>\n\n\n\n

According to Amit Serper, head of security research at Cybereason, attackers exfiltrated gigabytes of data from the target networks, but always in relatively smaller amounts to remain under the radar.<\/p>\n\n\n\n

In mid-September, Lumen\u2019s Black Lotus Labs discovered<\/strong><\/a> a new botnet, named Raptor Train, composed of small office\/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by a Chine-linked APT group\u00a0Flax Typhoon<\/a>\u00a0(also called\u00a0Ethereal Panda<\/a>\u00a0or RedJuliett).<\/p>\n\n\n\n

The botnet has been active since at least May 2020, reaching its peak with 60,000 compromised devices in June 2023.<\/gwmw><\/p>\n\n\n\n

Since May 2020, over 200,000 devices, including SOHO routers, NVR\/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered. A command and control (C2) domain from a recent campaign even appeared on the Cloudflare Radar and Cisco Umbrella \u201ctop 1 million\u201d lists, indicating widespread device exploitation. Researchers estimate that hundreds of thousands of devices have likely been compromised since the botnet\u2019s creation.<\/gwmw><\/gwmw><\/p>\n\n\n\n

China has consistently denied accusations from Western governments and tech firms about its involvement in cyberattacks. Liu Pengyu, a spokesman for the Chinese Embassy in Washington, recently accused U.S. spy agencies and cybersecurity firms of fabricating evidence to blame China. Despite these denials, China-linked APT groups have a history of targeting global telecommunications infrastructure.<\/p>\n\n\n\n

Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a><\/p>\n\n\n\n

Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n

(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, Salt Typhoon)<\/strong><\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

China-linked threat actors compromised some U.S. internet service providers (ISPs) as part of a cyber espionage campaign code-named Salt Typhoon. China-linked threat actors have breached several U.S. internet service providers in recent months as part of a cyber espionage campaign code-named Salt Typhoon. The state-sponsored hackers aimed at gathering intelligence from the targets or carrying […]<\/p>\n","protected":false},"author":1,"featured_media":26533,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6054,3323,5,6],"tags":[374,41,4112,9506,10918,687,841,1533],"class_list":["post-168941","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apt","category-breaking-news","category-hacking","category-intelligence","tag-apt","tag-china","tag-hacking","tag-information-security-news","tag-it-information-security","tag-pierluigi-paganini","tag-security-affairs","tag-security-news"],"yoast_head":"\n杭州江阴科强工业胶带有限公司