{ "id": "618a917a-f19e-4c5c-8bac-e6db6f4370e3", "created_at": "2026-04-06T00:18:54.000977Z", "updated_at": "2026-04-10T13:11:21.185361Z", "deleted_at": null, "sha1_hash": "ccd36642686bd01fba70006ad6392a4fd3768c12", "title": "Weathering the storm: In the midst of a Typhoon", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 264955, "plain_text": "Weathering the storm: In the midst of a Typhoon\r\nBy Cisco Talos\r\nPublished: 2025-02-20 · Archived: 2026-04-05 13:28:08 UTC\r\nThursday, February 20, 2025 08:00\r\nSummary\r\nCisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S.\r\ntelecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S.\r\ngovernment, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights\r\nour observations on this campaign and identifies recommendations for detection and prevention of the actor’s\r\nactivities.\r\nPublic reporting has indicated that the threat actor was able to gain access to core networking infrastructure in\r\nseveral instances and then use that infrastructure to collect a variety of information. There was only one case in\r\nwhich we found evidence suggesting that a Cisco vulnerability (CVE-2018-0171) was likely abused. In all the\r\nother incidents we have investigated to date, the initial access to Cisco devices was determined to be gained\r\nthrough the threat actor obtaining legitimate victim login credentials. The threat actor then demonstrated their\r\nability to persist in target environments across equipment from multiple vendors for extended periods, maintaining\r\naccess in one instance for over three years.\r\nA hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is\r\nimportant to note that while the telecommunications industry is the primary victim, the advice contained herein is\r\nrelevant to, and should be considered by, all infrastructure defenders.\r\nhttps://blog.talosintelligence.com/salt-typhoon-analysis/\r\nPage 1 of 7\n\nNo new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt\r\nTyphoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these\r\nclaims. The vulnerabilities in question are listed below. Note that each of these CVEs have security fixes\r\navailable. Threat actors regularly use publicly available malicious tooling to exploit these vulnerabilities, making\r\npatching of these vulnerabilities imperative.\r\nTherefore, our recommendation — which is consistent with our standard guidance independent of this particular\r\ncase—is always to follow best practices to secure network infrastructure.\r\nCVE-2018-0171 - Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability\r\n(Last Updated: 15-Dec-2022)\r\nCVE-2023-20198, CVE-2023-20273 - Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature\r\n(Last Updated: 1-Nov-2023)\r\nCVE-2024-20399 - Cisco NX-OS Software CLI Command Injection Vulnerability (Last Updated: 17-Sep-2024)\r\nActivities observed\r\nCredential use and expansion\r\nThe use of valid, stolen credentials has been observed throughout this campaign, though it is unknown at this time\r\nexactly how the initial credentials in all cases were obtained by the threat actor. We have observed the threat actor\r\nactively attempting to acquire additional credentials by obtaining network device configurations and deciphering\r\nlocal accounts with weak password types—a security configuration that allows users to store passwords using\r\ncryptographically weak methods. In addition, we have observed the threat actor capturing SNMP, TACACS, and\r\nRADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers. The\r\nintent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use.\r\nConfiguration exfiltration\r\nIn numerous instances, the threat actor exfiltrated device configurations, often over TFTP and/or FTP. These\r\nconfigurations often contained sensitive authentication material, such as SNMP Read/Write (R/W) community\r\nstrings and local accounts with weak password encryption types in use. The weak encryption password type would\r\nallow an attacker to trivially decrypt the password itself offline. In addition to the sensitive authentication\r\nmaterial, configurations often contain named interfaces, which might allow an attacker to better understand the\r\nupstream and downstream network segments and use this information for additional reconnaissance and\r\nsubsequent lateral movement within the network.\r\nInfrastructure pivoting\r\nA significant part of this campaign is marked by the actor’s continued movement, or pivoting, through\r\ncompromised infrastructure. This “machine to machine” pivoting, or “jumping,” is likely conducted for a couple\r\nof reasons. First, it allows the threat actor to move within a trusted infrastructure set where network\r\ncommunications might not otherwise be permitted. Additionally, connections from this type of infrastructure are\r\nless likely to be flagged as suspicious by network defenders, allowing the threat actor to remain undetected.\r\nhttps://blog.talosintelligence.com/salt-typhoon-analysis/\r\nPage 2 of 7\n\nThe threat actor also pivoted from a compromised device operated by one telecom to target a device in another\r\ntelecom. We believe that the device associated with the initial telecom was merely used as a hop point and not the\r\nintended final target in several instances. Some of these hop points were also used as a first hop for outbound data\r\nexfiltration operations. Much of this pivoting included the use of network equipment from a variety of different\r\nmanufacturers.\r\nConfiguration modification\r\nWe observed that the threat actor had modified devices’ running configurations as well as the subsystems\r\nassociated with both Bash and Guest Shell. (Guest Shell is a Linux-based virtual environment that runs on Cisco\r\ndevices and allows users to execute Linux commands and utilities, including Bash.)\r\nRunning configuration modifications\r\nAAA/TACACS+ server modification (server IP address change)\r\nLoopback interface IP address modifications\r\nGRE tunnel creation and use\r\nCreation of unexpected local accounts\r\nACL modifications\r\nSNMP community string modifications\r\nHTTP/HTTPS server modifications on both standard and non-standard ports\r\nShell access modifications\r\nGuest Shell enable and disable commands\r\nStarted SSH alternate servers on high ports for persistent access, such as sshd_operns (on port 57722) on\r\nunderlying Linux Shell or Guest Shell\r\n/usr/bin/sshd -p X\r\nCreated Linux-level users (modification of “/etc/shadow” and “/etc/passwd”)\r\nAdded SSH “authorized_keys” under root or other users at Linux level\r\nPacket capture\r\nThe threat actor used a variety of tools and techniques to capture packet data throughout the course of the\r\ncampaign, listed below:\r\nTcpdump – Portable command-line utility used to capture packet data at the underlying operating system\r\nlevel.\r\nTcpdump –i\r\nTpacap – Cisco IOS XR command line utility used to capture packets being sent to or from a given\r\ninterface via netio at the underlying operating system level.\r\nTpacap –i\r\nEmbedded Packet Capture (EPC) - Cisco IOS feature that allows the capture and export of packet capture\r\ndata.\r\nMonitor capture CAP export ftp://\u003cftp_server\u003e\r\nhttps://blog.talosintelligence.com/salt-typhoon-analysis/\r\nPage 3 of 7\n\nMonitor capture CAP start\r\nMonitor capture CAP clear\r\nOperational utility (JumbledPath)\r\nThe threat actor used a custom-built utility, dubbed JumbledPath, which allowed them to execute a packet capture\r\non a remote Cisco device through an actor-defined jump-host. This tool also attempted to clear logs and impair\r\nlogging along the jump-path and return the resultant compressed, encrypted capture via another unique series of\r\nactor-defined connections or jumps. This allowed the threat actor to create a chain of connections and perform the\r\ncapture on a remote device. The use of this utility would help to obfuscate the original source, and ultimate\r\ndestination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure.\r\nThis utility was written in GO and compiled as an ELF binary using an x86-64 architecture. Compiling the utility\r\nusing this architecture makes it widely useable across Linux operating systems, which also includes a variety of\r\nmulti-vendor network devices. This utility was found in actor configured Guestshell instances on Cisco Nexus\r\ndevices.\r\nDefense evasion\r\nThe threat actor repeatedly modified the address of the loopback interface on a compromised switch and used that\r\ninterface as the source of SSH connections to additional devices within the target environment, allowing them to\r\neffectively bypass access control lists (ACLs) in place on those devices (see \"Infrastructure pivoting\" section).\r\nhttps://blog.talosintelligence.com/salt-typhoon-analysis/\r\nPage 4 of 7\n\nThe threat actor routinely cleared relevant logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, where\r\napplicable, to obfuscate their activities. Shell access was restored to a normal state in many cases through the use\r\nof the “guestshell disable” command.\r\nThe threat actor modified authentication, authorization, and accounting (AAA) server settings with supplemental\r\naddresses under their control to bypass access control systems.\r\nDetection\r\nWe recommend taking the following steps to identify suspicious activity that may be related to this campaign:\r\nConduct comprehensive configuration management (inclusive of auditing), in line with best practices.\r\nConduct comprehensive authentication/authorization/command issuance monitoring.\r\nMonitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap\r\nin logged activity.\r\nMonitor your environment for unusual changes in behavior or configuration.\r\nProfile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including\r\nnew ports opening/closing and traffic to/from (not traversing).\r\nWhere possible, develop NetFlow visibility to identify unusual volumetric changes.\r\nLook for non-empty or unusually large .bash_history files.\r\nAdditional identification and detection can be performed using the Cisco forensic guides.\r\nPreventative measures\r\nThe following guidance applies to entities in all sectors.\r\nhttps://blog.talosintelligence.com/salt-typhoon-analysis/\r\nPage 5 of 7\n\nCisco-specific measures\r\nLeverage Cisco Hardening Guides when configuring devices\r\nAlways disable the underlying non-encrypted web server using the “no ip http server” command. If\r\nweb management is not required, disable all of the underlying web servers using “no ip http server”\r\nand “no ip http secure-server\" commands.\r\nDisable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco\r\ndevices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.\r\nIf not required, disable the guestshell access using “guestshell disable” for those versions which\r\nsupport the guestshell service.\r\nDisable Cisco’s Smart Install service using “no vstack”.\r\nUtilize type 8 passwords for local account credential configuration.\r\nUse type 6 for TACACS+ key configuration.\r\nGeneral measures\r\nRigorously adhere to security best practices, including updating, access controls, user education,\r\nand network segmentation.\r\nStay up-to-date on security advisories from the U.S. government and industry, and consider\r\nsuggested configuration changes to mitigate described issues.\r\nUpdate devices as aggressively as possible. This includes patching current hardware and software\r\nagainst known vulnerabilities and replacing end-of-life hardware and software.\r\nSelect complex passwords and community strings and avoid default credentials.\r\nUse multi-factor authentication (MFA).\r\nEncrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF,\r\nRESTCONF).\r\nLockdown and aggressively monitor credential systems, such as TACACS+ and any jump hosts.\r\nUtilize AAA to deny configuration modifications of key device protections (e.g., local accounts,\r\nTACACS+, RADIUS).\r\nPrevent and monitor for exposure of administrative or unusual interfaces (e.g., SNMP, SSH,\r\nHTTP(s)).\r\nDisable all non-encrypted web management capabilities.\r\nVerify existence and correctness of access control lists for all management protocols (e.g., SNMP,\r\nSSH, Netconf, etc.).\r\nEnhance overall credential and password management practices with stronger keys and/or\r\nencryption.\r\nUse type 8 passwords for local account credential configuration.\r\nUse type 6 for TACACS+ key configuration.\r\nStore configurations centrally and push to devices. Do NOT allow devices to be the trusted source\r\nof truth for their configurations.\r\nThere are several reasons to believe this activity is being carried out by a highly sophisticated, well-funded threat\r\nactor, including the targeted nature of this campaign, the deep levels of developed access into victim networks,\r\nand the threat actor’s extensive technical knowledge. Furthermore, the long timeline of this campaign suggests a\r\nhigh degree of coordination, planning, and patience—standard hallmarks of advanced persistent threat (APT) and\r\nstate-sponsored actors.\r\nhttps://blog.talosintelligence.com/salt-typhoon-analysis/\r\nPage 6 of 7\n\nDuring this investigation, we also observed additional pervasive targeting of Cisco devices with exposed Smart\r\nInstall (SMI) and the subsequent abuse of CVE-2018-0171, a vulnerability in the Smart Install feature of Cisco\r\nIOS and Cisco IOS XE software. This activity appears to be unrelated to the Salt Typhoon operations, and we\r\nhave not yet been able to attribute it to a specific actor. The IP addresses provided as observables below are\r\nassociated with this potentially unrelated SMI activity.\r\nLegacy devices with known vulnerabilities, such as Smart Install (CVE-2018-0171), should be patched or\r\ndecommissioned if no longer in use. Even if the device is a non-critical device, or carries no traffic, it may be used\r\nas an entry door for the threat actor to pivot to other more critical devices.\r\nThe findings in this blog represent Cisco Talos’ understanding of the attacks outlined herein. This campaign and\r\nits impact are still being researched, and the situation continues to evolve. As such, this post may be updated at\r\nany time to reflect new findings or adjustments to assessments.\r\nIndicators of Compromise (IOCs)\r\nIP Addresses:\r\n(Smart Install Abuse not associated with Salt Typhoon)\r\n185[.]141[.]24[.]28\r\n185[.]82[.]200[.]181\r\nSource: https://blog.talosintelligence.com/salt-typhoon-analysis/\r\nhttps://blog.talosintelligence.com/salt-typhoon-analysis/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/salt-typhoon-analysis/" ], "report_names": [ "salt-typhoon-analysis" ], "threat_actors": [ { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434734, "ts_updated_at": 1775826681, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ccd36642686bd01fba70006ad6392a4fd3768c12.pdf", "text": "https://archive.orkl.eu/ccd36642686bd01fba70006ad6392a4fd3768c12.txt", "img": "https://archive.orkl.eu/ccd36642686bd01fba70006ad6392a4fd3768c12.jpg" } }