Salt Typhoon's surge extends far beyond US telcos
Plus, a brand-new backdoor, GhostSpider, is linked to the cyber spy crew's operations
The reach of the China-linked Salt Typhoon gang extends beyond telecommunications giants in the United States, and its arsenal includes several backdoors – including a brand-new malware dubbed GhostSpider – according to Trend Micro researchers.
While the crew has made headlines recently for hacking "thousands and thousands" of devices at US telcos, research published on Monday by Trend Micro's threat intel team suggests Salt Typhoon (which Trend tracks as Earth Estries) has also hit more than 20 organizations globally since 2023. These span various sectors – including technology, consulting, chemical and transportation industries, government agencies, and non-profit organizations (NGOs) in the US, the Asia-Pacific region, the Middle East, and South Africa.
Affected countries include Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the US, and Vietnam.
It's "one of the most aggressive Chinese advanced persistent threat (APT) groups," Trend Micro's Leon Chang, Theo Chen, Lenart Bermejo, and Ted Lee wrote.
Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) has conducted "prolonged attacks" against governments and internet service providers since 2020, according to Trend's researchers. Then, in mid-2022, the crew began targeting government service providers and telecom firms.
"We found that in 2023, the attackers had also targeted consulting firms and NGOs that work with the US federal government and military," the threat intel team observed.
These intrusions not only compromised telcos' database and cloud servers, but also attacked the firms' suppliers – in at least one instance implanting the Demodex rootkit on machines used by a major contractor to a dominant regional telecommunications provider. Trend Micro's analysts think that shows Salt Typhoon wanted to gain access to more targets.
Chang, Chen, Bermejo, and Lee added that they don't have enough evidence to definitively link Earth Estries to the most recent attacks against Verizon, AT&T, Lumen and other US telcos – because Trend Micro's team hasn't had access to "a more detailed report on Salt Typhoon." However, they can confirm that the tactics, techniques, and procedures (TTPs) are similar to those observed in attacks thought to be perpetrated by the Beijing-linked crew.
"Until we see a more detailed report coming out of Microsoft about what all the TTPs were used in the Salt Typhoon attacks against US telcos, we don't really have the capability to tie them directly together," Trend Micro's VP of Threat Intelligence Jon Clay told The Register.
How Salt Typhoon breaks in
The crew typically exploits public-facing server vulnerabilities for initial access. These include:
CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure. These can be chained to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.
CVE-2023-48788, a Fortinet FortiClient EMS SQL injection bug that allows an attacker to execute unauthorized code via specially crafted packets.
CVE-2022-3236, a code injection vulnerability in Sophos Firewall which allows for remote code execution (RCE).
CVE-2021-26855 (aka ProxyLogon), CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. These Microsoft Exchange server flaws can be chained to allow for RCE.
- China has utterly pwned 'thousands and thousands' of devices at US telcos
- Chinese cyberspies, Musk's Beijing ties, labelled 'real risk' to US security by senator
- Reminder: China-backed crews compromised 'multiple' US telcos in 'significant cyber espionage campaign'
- Chinese cyberspies reportedly breached Verizon, AT&T, Lumen
Then, the crew uses so-called "living-off-the-land" techniques – legitimate software tools and credentials, which allow the network intruders to snoop around without being detected.
In the case of Earth Estries/Salt Typhoon these include WMIC.exe – a command-line utility that allows users to access Windows Management Instrumentation (WMI) – and PsExec – another legitimate Windows tool that lets users execute processes on other systems without installing client software.
The attackers abuse these to move laterally through the networks, dropping malware and conducting long-term espionage.
Some of the malware spotted in these campaigns includes SnappyBee (aka Deed RAT) – a modular backdoor shared among Chinese-government-linked groups. Salt Typhoon also uses the Demodex rootkit to remain hidden, and GhostSpider – a previously undisclosed backdoor that can load different modules based on the attackers' specific purposes.
The Trend Micro team conceded that "Currently, we do not have sufficient evidence to attribute the Demodex rootkit and GhostSpider as a proprietary backdoor used by Earth Estries" ®