Salt Typhoon, tracked by various threat intelligence teams under different names (like Earth Estries, GhostEmperor, or UNC2286), is a state-aligned threat actor, was caught using widely abused technique of using stolen credentials in new and novel ways by using them against legacy protocols and devices.

Doesn’t it sound like the same story over and over? Users are far from the only place where remote access is underpinned with usernames and passwords, and pivoting through network access devices is made easier when old playbooks and techniques can be reused again and again.

Their custom “JumbledPath” malware underscores the group’s advanced capabilities and willingness to innovate. This threat is particularly concerning because telecom networks underpin national infrastructure, enabling everything from emergency services to routine phone calls. In fact, U.S. authorities have confirmed that Salt Typhoon is behind successful breaches of Verizon, AT&T, Lumen Technologies, and T-Mobile.

How does Salt Typhoon execute this attack?

JumbledPath itself is a Go-based ELF binary built for Linux that can run on edge networking devices including Cisco Nexus devices. It enabled Salt Typhoon to capture packets from a Cisco device by routing requests through a jump-host, an intermediary that disguised the attacker’s origin and made each request appear to come from a trusted internal system.

1. First, Salt Typhoon gains access via stolen credentials. This remains the oldest and tremendously effective way for malicious actors to gain authorized access. As we like to say, attackers don't break in, they just log in.
2. Once they're inside, they aim to extract additional credentials from network device configurations and intercepting authentication traffic via SNMP, TACACS, and RADIUS.
3. Additionally, they have demonstrated sophisticated techniques for maintaining persistent access and evasion by switching between different networking devices and using already compromised edge devices.

What are effective mitigation strategies?

Some defense strategies include:

• Implement phishing-resistant MFA: Eliminate the initial access vector by replacing weak credentials with device-bound, asymmetric key pairs (device-bound passkeys). You can commit to the most strict patching cadence, logging, and configuration management but if your front door is wide open for attackers, they will continue to walk through.
• Logging and auditing: Capture logs from networking devices, especially administrative logs.
• Federate access: Improve auditability and remove the need to use weak credentials since many enterprise grade devices support federation with SAML and use strong credentials with your SSO.
• Replacing vulnerable networking devices: Replace networking devices that don't support the above features that help you protect your enterprise. If the above is infeasible, rotate credentials with long, complex passwords often when you can’t replace them with strong authentication.
• Regular patching and configuration management: Apply patches as soon as they're made available by your networking device provider. Unpatched systems remain an entry point for threat actors given the number of zero-day vulnerabilities.
• IP restrictions: Restrict access to networking devices to known IP addresses.

Conclusion

Salt Typhoon's evolving JumbledPath malware should be a wake up call for any organization especially those in critical infrastructure sectors. With defense in depth from identity and access security, to logging, and security hygiene for networking devices, organizations can close the gaps exploited by adversaries like Salt Typhoon.