Ethical Hacking News
A sophisticated cyber threat actor known as Salt Typhoon has breached over 600 organizations worldwide, including major telecommunications providers, government agencies, transportation systems, lodging facilities, and military infrastructure. Learn more about the tactics used by this group and how organizations can protect themselves against this type of threat.
Salt Typhoon, a sophisticated cyber threat actor linked to Chinese entities, has breached over 600 organizations worldwide. The group uses exploits for exposed network edge devices from Cisco, Ivanti, and Palo Alto Networks to gain initial access. Attackers employ various tactics, including altering ACLs, running commands in Linux containers, and utilizing authentication protocols like TACACS+ Threat actor's familiarity with telecommunications systems gives them an advantage when it comes to defense evasion. The incident highlights the need for robust cybersecurity measures and regular vulnerability assessments. Organizations must implement effective patch management strategies, conduct regular network scans, and ensure all software and systems are up-to-date.
The cybersecurity landscape has recently been shaken by the revelation of a sophisticated cyber threat actor known as Salt Typhoon. This group, which has been linked to Chinese entities, has managed to breach over 600 organizations worldwide, including major telecommunications providers, government agencies, transportation systems, lodging facilities, and military infrastructure.
According to a joint cybersecurity advisory published by authorities from 13 countries, including Australia, Canada, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, New Zealand, Poland, Spain, the U.K., and the U.S., Salt Typhoon has been using exploits for exposed network edge devices from Cisco (CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273), Ivanti (CVE-2023-46805 and CVE-2024-21887), and Palo Alto Networks (CVE-2024-3400) to gain initial access. This approach allows the hackers to pivot into other networks, often modifying devices' configuration and adding GRE tunnels for persistent access and data exfiltration.
The attackers have been observed using various tactics to achieve their objectives. These include altering Access Control Lists (ACLs), opening standard and non-standard ports, running commands in an on-box Linux container, and utilizing authentication protocols like TACACS+ to enable lateral movement across network devices. Furthermore, the hackers have been known to collect PCAPs using native tooling on compromised systems, with the primary objective likely being to capture TACACS+ traffic over TCP port 49.
One notable technique employed by Salt Typhoon is the creation of a local user and granting it sudo privileges to obtain root access on host operating systems after logging in via TCP/57722. This highlights the group's ability to adapt and evolve their tactics, making it challenging for security professionals to detect and mitigate these threats.
John Hultquist, Chief Analyst at Google Threat Intelligence Group, pointed out that the threat actor's familiarity with telecommunications systems gives them a unique advantage when it comes to defense evasion. Contractors are used to build tools and valuable exploits as well as carry out the dirty work of intrusion operations. They have been instrumental in the rapid evolution of these operations and growing them to an unprecedented scale.
The impact of this cyber threat cannot be overstated, with Salt Typhoon having targeted major organizations across various sectors worldwide. The fact that these hackers were able to breach over 600 organizations highlights the need for robust cybersecurity measures and regular vulnerability assessments to prevent such incidents.
As security experts continue to monitor the situation, it is crucial that organizations take proactive steps to protect themselves against this type of threat. This includes implementing effective patch management strategies, conducting regular network scans, and ensuring that all software and systems are up-to-date with the latest security patches.
In conclusion, the Salt Typhoon incident serves as a stark reminder of the ongoing threat landscape in the cybersecurity world. As we navigate through this ever-evolving threat environment, it is essential to stay vigilant and proactive in our efforts to protect ourselves against such sophisticated threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Salt-Typhoon-Nightmare-How-China-Linked-Hackers-Exploited-Global-Networks-Using-Cisco-Ivanti-and-Palo-Alto-Vulnerabilities-ehn.shtml
https://thehackernews.com/2025/08/salt-typhoon-exploits-cisco-ivanti-palo.html
https://nvd.nist.gov/vuln/detail/CVE-2018-0171
https://www.cvedetails.com/cve/CVE-2018-0171/
https://nvd.nist.gov/vuln/detail/CVE-2023-20198
https://www.cvedetails.com/cve/CVE-2023-20198/
https://nvd.nist.gov/vuln/detail/CVE-2023-20273
https://www.cvedetails.com/cve/CVE-2023-20273/
https://nvd.nist.gov/vuln/detail/CVE-2023-46805
https://www.cvedetails.com/cve/CVE-2023-46805/
https://nvd.nist.gov/vuln/detail/CVE-2024-21887
https://www.cvedetails.com/cve/CVE-2024-21887/
https://nvd.nist.gov/vuln/detail/CVE-2024-3400
https://www.cvedetails.com/cve/CVE-2024-3400/
Published: Thu Aug 28 13:19:01 2025 by llama3.2 3B Q4_K_M
