November 27, 2024 at 06:54PM
The China-linked Salt Typhoon gang, known for targeting U.S. telecommunications, has expanded globally since 2023, affecting over 20 organizations across various sectors. Their toolkit includes new malware called GhostSpider and the Demodex rootkit. Their tactics involve exploiting server vulnerabilities and using legitimate tools for stealthy infiltration and espionage.
### Meeting Takeaways
1. **Overview of Salt Typhoon**: The China-linked Salt Typhoon gang (also known as Earth Estries) has expanded its reach beyond US telecommunications companies, targeting over 20 organizations globally in various sectors, including technology, consulting, and government.
2. **Global Impact**: Affected countries include the US, India, Vietnam, Brazil, and several others across Asia-Pacific, the Middle East, and South Africa.
3. **Aggressive Tactics**: Salt Typhoon is classified as one of the most aggressive advanced persistent threat (APT) groups. They have been conducting prolonged attacks since 2020, concentrating on government and telecom sectors since mid-2022.
4. **Targeting Strategy**: The group has also focused on consulting firms and NGOs associated with the US federal government and military in 2023, indicating a strategic shift towards entities involved in government contracts.
5. **Attack Techniques**: The gang exploits public-facing server vulnerabilities (e.g., CVEs in Ivanti, Fortinet, Sophos, and Microsoft Exchange) for initial access. They employ “living-off-the-land” techniques, using legitimate tools (like WMIC.exe and PsExec) to navigate networks undetected.
6. **Malware Arsenal**: Their toolset includes various malware, such as:
– **SnappyBee (Deed RAT)**: A modular backdoor used by multiple Chinese state-affiliated groups.
– **Demodex rootkit**: Ensures stealth in operations.
– **GhostSpider**: A newly identified backdoor tailored for specific tasks, with no definitive attribution yet to Salt Typhoon.
7. **Link to Recent Attacks**: While there is evidence of similar tactics used in recent intrusions against US telcos (Verizon, AT&T, Lumen), conclusive links to Salt Typhoon remain unverified pending more detailed reporting.
8. **Next Steps**: Await further detailed reports from Microsoft regarding TTPs used in the Salt Typhoon attacks to enhance understanding and attribution of the recent cyberattacks.
This summary encapsulates the main points of concern regarding Salt Typhoon’s activities and their impact on global security and infrastructure.