Breaking Down Salt Typhoon

Introduction

Salt Typhoon refers to a sophisticated cyber espionage operation orchestrated by a Chinese Advanced Persistent Threat (APT) group, commonly known as Earth Estries, Ghost Emperor, or UNC2286. This state-sponsored actor has been linked to high-profile breaches targeting critical U.S. infrastructure, including major telecommunications providers such as Verizon, AT&T, T-Mobile, and Lumen Technologies. The operation’s successes highlight the advanced capabilities and long-term persistence characteristic of well-resourced nation-state-backed threat actors.

In recent campaigns, Salt Typhoon has demonstrated a focused strategy of exploiting vulnerabilities in wiretap systems and critical communication infrastructure. By leveraging techniques such as “living off the land” and exploiting network device vulnerabilities, they have successfully accessed sensitive data, including government communications and law enforcement wiretaps. These actions underline the pressing need for enhanced cybersecurity measures to protect national security interests and critical assets.

Key Takeaways

1. Initial Access

The sophisticated cyberattack carried out by a group of Chinese hackers known as Salt Typhoon began as early as 2022. According to U.S. officials, the goal was to provide Chinese operatives with ongoing access to telecommunications networks across the U.S. by targeting devices such as routers and switches operated by companies like AT&T, Verizon, and Lumen. Salt Typhoon initially focused on compromising the public-facing servers of their targets. They exploited several known server vulnerabilities (N-day vulnerabilities). For more details, refer to point 7.

2. Advanced Espionage Tactics

Salt Typhoon employs “living off the land” tactics, utilizing tools like PowerShell and WMIC to evade detection while conducting reconnaissance, credential theft, and data exfiltration. They also exploit known vulnerabilities in network devices to maintain long-term access to compromised environments.

3. Targeting Critical Infrastructure

The group primarily focuses on U.S. telecommunications providers and is breaching wiretap systems to access sensitive communications. These activities compromise privacy and jeopardize national security by exposing critical surveillance systems.

4. Nation-State Sponsorship

Salt Typhoon is believed to be affiliated with China’s Ministry of State Security, which provides them with significant resources, protection, and strategic directives. Their activities align with broader geopolitical objectives, including intelligence collection and potential disruption of adversarial capabilities.

5. Impacts on National Security

Breaches of wiretap systems undermine law enforcement’s ability to conduct secure surveillance and monitor criminal activities. Moreover, access to sensitive communications involving government officials could influence political processes or expose national vulnerabilities.

6. Mitigation Measures

To counter threats posed by Salt Typhoon, organizations must adopt robust cybersecurity frameworks, including:

• Zero-trust architecture
• Continuous monitoring
• Regular vulnerability assessments and patch management
• Early warning intelligence to track what threat actors are doing
• Enhanced collaboration between private entities and federal agencies, such as the FBI and CISA

7. Vulnerabilities Leveraged by Salt Typhoon and Detection by Armis Centrix™ for Early Warning

Salt Typhoon’s activities serve as a wake-up call to governments and enterprises alike, emphasizing the importance of proactive defenses and collaboration in addressing the evolving threat landscape with a preemptive strategy. The following is the list of known vulnerabilities used by Salt Typhoon and how early Armis Centrix™ for Early Warning alerted our customers of exploitation in the wild two months ahead of industry standards.

CVE-2021-26855 (Microsoft Exchange – ProxyLogon)

Overview of the 5 CVEs Leveraged by Salt Typhoon

1. CVE-2023-46805
Vendor: Ivanti
Product(s): Ivanti Connect Secure (ICS) and Policy Secure (IPS) appliance
Impact: Authentication bypass
Details: This flaw enabled attackers to access restricted resources without proper authentication by exploiting weaknesses in the web component of the affected systems. When chained with another vulnerability, such as CVE-2024-21887, attackers achieved remote code execution without authentication. This vulnerability has been actively exploited in the wild by known sophisticated state-backed threat actors.

2. CVE-2024-21887
Vendor: Ivanti
Product(s): Ivanti Connect Secure (ICS) and Policy Secure (IPS) appliance
Impact: Authentication bypass
Details: The vulnerability allows authenticated administrators to send crafted requests to execute arbitrary code on affected appliances. The vulnerability has been actively exploited, with attackers using it to implant web shells, harvest credentials, and escalate privileges. These compromises allowed attackers to move laterally within the network, with some incidents leading to complete domain compromise.

3. CVE-2023-48788
Vendor: Fortinet
Product(s): FortiClient Enterprise Management Server (EMS)
Impact: SQL Injection
Details: This vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) allows unauthenticated attackers to manipulate SQL commands through crafted requests, allowing direct command execution on the server. Active exploitation began within days of its disclosure and was widely leveraged in post-exploitation activities such as installation of RMM tools, lateral movement, etc.

4. CVE-2022-3236
Vendor: Sophos
Product(s): Sophos Firewall
Impact: Remote Code Execution
Details: Vulnerability in the User Portal and Webadmin interfaces of the Sophos Firewall. Exploiting this vulnerability allows unauthenticated attackers to execute arbitrary code remotely, granting them unauthorized access to the system. The vulnerability was exploited in active campaigns, making it a zero-day exploit at the time of disclosure before a patch was released in September 2022.

5. CVE-2021-26855
Vendor: Microsoft
Product(s): Microsoft Exchange Server
Impact: Authentication bypass
Details: This is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, which allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange server itself, which can be exploited to access internal resources, including sensitive systems and data. This CVE was actively exploited in the wild as a part of a multi-step attack chain where attackers exploited CVE-2021-26855 to gain initial access and pivoted to CVE-2021-27065 exploitation to achieve full system compromise.

Enable Proactive Cybersecurity with AI-driven Early Warning Detection by Armis Centrix™ for Early Warning

Armis Centrix™ for Early Warning is the proactive cybersecurity solution designed to empower organizations with early warning intelligence to anticipate and mitigate cyber risks effectively. By leveraging AI-driven actionable intelligence, Armis Centrix™ provides insights into vulnerabilities that threat actors exploit in the wild or are about to weaponize, allowing organizations to understand their impact and take preemptive action. Armis provided early warning on 2 of the 4 CVEs leveraged by Salt Typhoon, allowing organizations to address potential vulnerabilities with an average lead time of more than two months, ensuring that security teams have ample time to prepare and implement necessary defenses.

To enhance their cybersecurity strategy, security teams should integrate Armis Centrix™ for Early Warning with CISA’s Known Exploited Vulnerabilities (KEV) Catalog. While CISA KEV offers general risk prioritization and focuses on known exploited vulnerabilities, Armis Centrix™ delivers real-time updates and evidence-based insights with high confidence levels. Armis Centrix™ focuses on the formulation stage of exploits by threat actors targeting vulnerabilities. By blending these tools, organizations can ensure a more robust cybersecurity posture, benefiting from both the timely, accurate, and evidence-based capabilities of Armis and the foundational insights of CISA KEV.

Learn more about Armis Centrix™ for Early Warning, or request a demo today.