The Chinese language state-sponsored hacking group often called Salt Storm breached and remained undetected in a U.S. Military Nationwide Guard community for 9 months in 2024, stealing community configuration recordsdata and administrator credentials that might be used to compromise different authorities networks.
Salt Storm is a Chinese language state-sponsored hacking group that’s believed to be affiliated with China’s Ministry of State Safety (MSS) intelligence company. The hacking group has gained notoriety over the previous two years for its wave of assaults on telecommunications and broadband suppliers worldwide, together with AT&T, Verizon, Lumen, Constitution, Windstream, and Viasat.
The objective of a few of these assaults was to acquire entry to delicate name logs, personal communications, and law-enforcement wiretap methods utilized by the U.S. authorities.
Nationwide Guard community breached for 9 months
A June 11 Division of Homeland Safety memofirst reported by NBCsays that Salt Storm breached a U.S. state’s Military Nationwide Guard community for 9 months between March and December 2024.
Throughout this time, the hackers stole community diagrams, configuration recordsdata, administrator credentials, and private data of service members that might be used to breach Nationwide Guard and authorities networks in different states.
“Between March and December 2024, Salt Storm extensively compromised a US state’s Military Nationwide Guard’s community and, amongst different issues, collected its community configuration and its knowledge visitors with its counterparts’ networks in each different US state and no less than 4 US territories, in keeping with a DOD report,” reads the memo.
“This knowledge additionally included these networks’ administrator credentials and community diagrams—which might be used to facilitate follow-on Salt Storm hacks of those models.”
The memo additional states that Salt Storm has beforehand utilized stolen community topologies and configuration recordsdata to compromise vital infrastructure and U.S. authorities companies.
“Salt Storm has beforehand used exfiltrated community configuration recordsdata to allow cyber intrusions elsewhere,” continued the memo.
“Between January and March 2024, Salt Storm exfiltrated configuration recordsdata related to different U.S. authorities and important infrastructure entities, together with no less than two U.S. state authorities companies. Not less than one in all these recordsdata later knowledgeable their compromise of a weak system on one other U.S. authorities company’s community.”
Community configuration recordsdata include the settings, safety profiles, and credentials configured on networking units, comparable to routers, firewalls, and VPN gateways. This data is effective to an attacker, as it may be used to determine paths to and credentials for different delicate networks which are sometimes not accessible by way of the Web.
The DHS warns that between 2023 and 2024, Salt Storm stole 1,462 community configuration recordsdata related to roughly 70 U.S. authorities and important infrastructure entities from 12 sectors.
Whereas it was not disclosed how Salt Storm breached the Nationwide Guard community, Salt Storm is understood for concentrating on previous vulnerabilities in networking units, comparable to Cisco routers.
The DHS memo shared the next vulnerabilities that Salt Storm leveraged prior to now to breach networks:
CVE-2018-0171: A vital flaw in Cisco IOS and IOS XE Good Set up that permits distant code execution by way of specifically crafted TCP packets.
CVE-2023-20198: A zero-day affecting Cisco IOS XE net UI that allows unauthenticated distant entry to units.
CVE-2023-20273: A privilege escalation flaw additionally concentrating on IOS XE that permits hackers to execute instructions as root. This flaw has been seen chained with CVE-2023-20198 to take care of persistence.
CVE-2024-3400: A command injection vulnerability in Palo Alto Networks’ PAN-OS GlobalProtect, which permits unauthenticated attackers to execute instructions on units.
DOH additionally shared the next IP addresses which were utilized by Salt Storm when exploiting the above vulnerabilities:
43.254.132(.)118
146.70.24(.)144
176.111.218(.)190
113.161.16(.)130
23.146.242(.)131
58.247.195(.)208
In earlier assaults, the hackers exploited unpatched Cisco routers in telecom environments to achieve entry to infrastructure. The attackers used this entry to spy on communications of U.S. political campaigns and lawmakers.
As a part of these assaults, the menace actors deployed customized malware named JumblePath and GhostSpider to surveil telecom networks.
The DHS memo urges Nationwide Guard and authorities cybersecurity groups to make sure these flaws have been patched and to show off pointless providers, phase SMB visitors, implement SMB signing, and implement entry controls.
A Nationwide Guard Bureau spokesperson confirmed the breach to NBC however declined to share specifics, stating that it had not disrupted federal or state missions.
China’s embassy in Washington didn’t deny the assault however acknowledged the U.S. had not offered “conclusive and dependable proof” that Salt Storm is linked to the Chinese language authorities.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent menace actors.
