Salt Typhoon lateral movement and data collection: In order to move deeper inside networks, the attackers over leverage existing authentication protocols such as Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS). The Managed Information Base (MIB), various router interfaces, Resource Reservation Protocol (RSVP) sessions, Border Gateway Protocol (BGP) routes and software already installed on the devices are also targeted for abuse.The attackers also search configuration files and provider-held data such as subscriber information, customer records, network diagrams, device configurations, vendor lists, passwords and more.The native packet capture capabilities of compromised routers are routinely leveraged to capture RADIUS or TACACS+ authentication traffic with the intention of extracting credentials transmitted in insecure forms. Sometimes attackers point the router’s TACACS+ server configuration to an IP address they control to capture authentication requests.The compromised routers, especially Cisco ones, will have various configuration changes made to them including the addition of new accounts, the leveraging of traffic monitoring on interfaces, commands over various protocols to display configuration files or to clean logs, configuring tunnels, updating routing tables, running Guest Shell containers and more.The attackers commonly leverage existing peering connections between networks in order to exfiltrate data without raising suspicion, hiding it within the noise generated by high-traffic nodes and encapsulating it into encrypted tunnels such as GRE or IPsec. Telecommunications providers must perform threat hunting: The report includes many indicators of compromise, TTPs, a case study with recorded Salt Typhoon activity and commands, as well as threat hunting recommendations and Yara rules that can be used for activity detection.”The authoring agencies encourage network defenders of critical infrastructure organizations, especially telecommunications organizations, to perform threat hunting, and, when appropriate, incident response activities,” the agencies said. “If malicious activity is suspected or confirmed, organizations should consider all mandatory reporting requirements to relevant agencies and regulators under applicable laws and regulations, and any additional voluntary reporting to appropriate agencies, such as cybersecurity or law enforcement agencies who can provide incident response guidance and assistance with mitigation.”In terms of mitigation recommendations, the first step is to patch known vulnerabilities as soon as possible, especially on network edge devices. Performing regular monitoring of configuration files and logs on routers in order to detect suspicious activity and unauthorized changes is also important.Other general recommendations include disabling outbound connections from management interfaces, disabling unused ports and services, changing default administrative credentials, implementing public-key authentication for admins instead of password authentication and phasing out unsupported network devices with versions that still receive security patches from their manufacturers.The report also includes more specific recommendations for hardening management protocols, implementing robust loggings and leveraging best practices for routing and virtual private networks.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4047953/salt-typhoon-apt-techniques-revealed-in-new-report.html
