Blog

Holding Back Salt Typhoon + Other Chinese APT CVEs

Over the past several years, US Federal Agencies and private sector companies have observed China-based threat actors targeting network and telecommunication critical infrastructure. A wave of recent reports have disclosed that these attacks have succeeded in compromising government and industry targets to a far greater extent than previously thought. As a result, CISA has issued new guidance for telecommunications companies to secure their infrastructure, and the U.S. Federal Communications Commission (FCC) has drafted new, stricter cybersecurity regulations to require telcos to “secure their networks against unlawful access and interception.” The recent U.S. Senate hearings on Communications Networks Safety and Security also emphasized the requirement for continuous monitoring of network devices for persistent implants, tampering, backdoors, malware and other types of compromise.

The threat activity by these groups goes back at least half a decade. As far back as 2020 the following threat actor groups, including Salt Typhoon, have been observed, with solid evidence of operations based in China that are state-sponsored:

These campaigns have leveraged a wide variety of vulnerabilities and sophisticated tools, including 0-day vulnerabilities. The TTPs (Tactics, Techniques, and Procedures) have also leveraged commodity tools (such as Mirai botnet code) as well as more sophisticated malware with capabilities such as firmware backdoors and UEFI implants

Known Exploited Vulnerabilities in the Network Device Supply Chain

A key element of this unfolding story is that most of the CVEs exploited by these attackers are listed in CISA’s Known Exploited Vulnerabilities catalog, and some were also listed in the top 42 most routinely exploited vulnerabilities of 2023, also published by CISA. Furthermore, many of the vulnerabilities exist inside network devices, and even security devices that the targeted organizations purchase from vendors they trust to provide secure equipment. The supply chain of network infrastructure devices is far less secure than it should be. 

End user workstations and endpoints are subjected to a huge battery of cybersecurity requirements, tests, scans, and regulations. In contrast, network devices like routers, switches, and even firewalls from vendors like Cisco, Sophos, Palo Alto, and more are assumed to be secure. The Salt Typhoon attacks and other PRC-sponsored adversaries show that security teams must update their assumptions and treat network devices as insecure until proven otherwise. Furthermore, these network devices are ripe territory for APTs to establish persistence by installing firmware implants, bootkits, and backdoors that most security tools and incident responders find difficult to detect. Nation state sponsored APTs are playing a long game, and they prioritize establishing persistence that can outmaneuver the incident response capabilities of critical infrastructure providers such as Telcos. Verifying the integrity of these devices before connecting them to critical infrastructure networks, and monitoring them continuously for updates, especially in firmware, is a crucial step in protecting critical telecommunications infrastructure against advanced adversaries.

Prevent Persistent Access by Salt Typhoon, Flax Typhoon, and other APTs

When sophisticated threat actors target critical infrastructure, they use advanced persistence techniques and “living-off-the-land” tactics to maintain access even after they have been detected. One increasingly common category of persistence technique is Pre-OS Boot (MITRE ATT&CK T-1542) is to exploit vulnerabilities in network device firmware, using implants and backdoors that many incident responders lack the ability to detect or eradicate. Eliminating these persistence mechanisms in network devices that support critical infrastructure, such as telecommunications, is vital for protecting national security.

The Eclypsium platform monitors the integrity of the network devices including firmware and thus is able to detect persistent implants and backdoors used by these APTs. Eclypsium achieves this via verifying firmware and OS integrity, scanning memory, configuration, logs, file system and files, looking for IoCs and running firmware through our firmware binary analysis engine. The capability to continuously monitor the integrity of network devices at the firmware layer is unique to Eclypsium.

In addition to our unique capability to continuously monitor device, OS, and firmware integrity, the Eclypsium team has been tracking this activity and developing detections for vulnerabilities and IoCs (Indicators of Compromise) across several platforms. We are constantly adding new detections to assure our customers get broad coverage of the TTPs used by these threat groups. Below is a sampling of CVEs related to Salt Typhoon, Flax Typhoon, Pacific Rim, Velvet Ant, and other Chinese APTs that can be detected by the Eclypsium platform.

This list is continuously growing as new detections are added to the Eclypsium platform. Eclypsium customers can contact their account representative for the most up-to-date list of vulnerabilities and IOCs detected by Eclypsium.

Preventing Persistence Is An Urgent Necessity To Protect Telecommunications Infrastructure

Detecting vulnerabilities is important, but preventing and protecting against attacker persistence and future intrusion is also critical. To meet the FCC’s call to “ensure resilience against future cyberattacks by adversaries,” Telecommunications operators domestically and abroad will need to address the risk of firmware exploitation for attacker persistence. 

Eclypsium is able to verify the integrity of hardware, software, and firmware components in user endpoints and network devices. This reduces the necessity of trusting vendors, and enables telecommunications organizations to verify that their supply chain of network devices and software is not introducing new vulnerabilities into the environment that are subsequently targeted by adversaries. If you’re interested in getting a demonstration of how we can help you mitigate your risk from these APT tactics, please get in touch with us

Further Reading