Cisco Confirms Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
Cisco has officially confirmed that the Chinese state-sponsored threat actor known as Salt Typhoon successfully infiltrated U.S. telecommunications networks by exploiting a known vulnerability, CVE-2018-0171. This security flaw, combined with the use of stolen login credentials, enabled the attackers to maintain long-term access to compromised environments, with one instance lasting more than three years.
According to Cisco Talos, Salt Typhoon’s operations exhibit a high level of sophistication, coordination, and patience—common traits of advanced persistent threat (APT) groups. The campaign underscores the ongoing risks posed by nation-state actors who strategically infiltrate critical infrastructure to establish deep and persistent footholds.
Table of Contents
A Long-Term, Highly Coordinated Cyber Espionage Campaign
Salt Typhoon's ability to remain undetected for years highlights the group’s advanced tactics. Their persistence across multiple vendors’ equipment suggests meticulous planning and a well-funded operation. Unlike opportunistic cybercriminals who exploit vulnerabilities for immediate gain, state-sponsored actors like Salt Typhoon often aim for sustained access, allowing them to gather intelligence, disrupt operations, or prepare for future cyberattacks.
While previous reports suggested that Salt Typhoon also leveraged newer vulnerabilities, such as CVE-2023-20198 and CVE-2023-20273, Cisco has found no evidence supporting these claims. Instead, the primary method of exploitation remains CVE-2018-0171, a flaw in Cisco’s Smart Install (SMI) protocol, combined with credential theft.
Stolen Credentials: The Key to Initial Access
An essential aspect of this campaign is the use of valid, stolen credentials to gain access to network devices. While the exact method Salt Typhoon used to obtain these credentials is still unclear, evidence suggests that they actively searched for stored login details within compromised systems. They also monitored network traffic to capture authentication data, specifically targeting SNMP, TACACS, and RADIUS protocols to extract secret keys and other login credentials.
Once inside a network, Salt Typhoon employed various techniques to expand their reach and ensure prolonged access. These included modifying network device configurations, creating unauthorized local accounts, enabling Guest Shell access, and setting up persistent SSH access.
Living-off-the-Land Techniques and Network Pivoting
Salt Typhoon leveraged living-off-the-land (LOTL) techniques, which involve abusing legitimate system tools and infrastructure to avoid detection. By using compromised network devices as pivot points, they were able to jump from one telecom network to another while remaining hidden. These compromised devices likely served as intermediate relays, helping attackers either move laterally toward their ultimate targets or establish outbound data exfiltration routes.
To further evade detection, Salt Typhoon manipulated network configurations by altering loopback interface addresses on compromised switches. This allowed them to establish SSH connections that bypassed access control lists (ACLs), granting unrestricted movement within the target environment.
JumbledPath: A Custom Tool for Stealthy Operations
One of the most concerning discoveries is Salt Typhoon’s use of a custom-built tool named JumbledPath, which is specifically designed for stealthy network infiltration. This Go-based ELF binary enables attackers to execute packet captures on remote Cisco devices via an actor-controlled jump host. The tool can also clear system logs and disable logging altogether, making forensic analysis significantly more difficult.
Periodic log erasure efforts further reduce visibility into their activities. Salt Typhoon was observed deleting critical logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, to cover their tracks and ensure their operations remained undetected for extended periods.
Ongoing Exploitation of Cisco Devices
Beyond Salt Typhoon’s activities, Cisco has also detected widespread targeting of its devices with exposed Smart Install (SMI) features, leading to the continued exploitation of CVE-2018-0171. However, Cisco clarified that this activity is not linked to Salt Typhoon and does not appear to be associated with any known threat group.
How Organizations Can Defend Against These Attacks
Given the persistent nature of Salt Typhoon’s operations, organizations—especially those in the telecommunications sector—must take proactive steps to secure their networks. Recommended defensive measures include:
- Disabling Smart Install (SMI): If not required, SMI should be turned off to mitigate the risk of exploitation.
- Enforcing Multi-Factor Authentication (MFA): Stolen credentials are less effective if MFA is required for authentication.
- Regularly Updating Firmware and Patching Vulnerabilities: CVE-2018-0171 has been known for years, yet attackers continue to exploit it due to unpatched systems.
- Monitoring Network Traffic for Anomalies: Organizations should closely monitor authentication requests, unusual SSH activity, and unexpected configuration changes.
- Implementing Strong Access Control Policies: Restricting access to critical infrastructure can limit an attacker’s ability to move laterally within the network.
Salt Typhoon’s successful infiltration of U.S. telecom networks underscores the importance of vigilance in cybersecurity. Their ability to exploit a years-old vulnerability, steal credentials, and persist undetected for extended periods demonstrates the evolving threat landscape. Organizations must prioritize proactive defense strategies, including robust patch management, network monitoring, and strict access controls, to mitigate the risks posed by state-sponsored cyber threats.