November 26, 2024 at 03:23PM
Salt Typhoon, a Chinese advanced persistent threat (APT), has been spying on high-value government and telecommunications organizations globally since 2023, deploying new malware like GhostSpider. Known for its sophisticated strategies, the group uses various attack methods, including exploiting vulnerabilities in Internet-facing devices, to infiltrate networks and access sensitive information.
### Meeting Takeaways on Salt Typhoon Threat Actor
**Overview:**
– Salt Typhoon, a Chinese advanced persistent threat (APT) group known by various names (Earth Estries, FamousSparrow, GhostEmperor, UNC2286), has been involved in espionage against high-value government and telecommunications organizations, utilizing newly developed malware called GhostSpider.
**Key Points:**
1. **Activity and Targeting:**
– Salt Typhoon has compromised over 20 organizations globally since 2023, with a focus on US telecommunications companies, including T-Mobile USA, and various ISPs in North America.
– The group’s espionage operations have sometimes gone undetected for years, showing a high level of sophistication.
2. **Malware Arsenal:**
– The group employs a variety of malware including:
– **GhostSpider:** A highly modular backdoor adaptable for specific attack scenarios.
– **Masol RAT:** Used primarily against Linux servers, particularly in Southeast Asian government networks.
– **SnappyBee (Deed RAT):** A modular tool also included in their arsenal.
– **Demodex Rootkit:** A significant component of their malware toolkit.
– Speculated use of **Inc Ransomware** in operations.
3. **Operational Structure:**
– Salt Typhoon’s operations are highly organized with distinct teams focusing on specific malware, geographic regions, and target sectors. This complexity complicates tracking and mitigation efforts.
4. **Entry Strategies:**
– The group has shifted from phishing to exploiting internet-facing devices, targeting known vulnerabilities (referred to as “n-day” vulnerabilities) in various systems.
– Vulnerabilities they exploit include:
– CVE-2024-48788 (Fortinet EMS)
– CVE-2022-3236 (Sophos Firewalls)
– Microsoft Exchange vulnerabilities related to ProxyLogon.
– Phishing remains a less prominent method, accounting for a smaller percentage than before.
5. **Strategic Targeting:**
– Salt Typhoon often compromises NGOs and consulting firms connected to the US government and military to gain indirect access to more critical government targets.
6. **Geographic Focus:**
– The group’s activities span multiple continents, with a notable concentration in Southeast Asia, targeting sectors including telecommunications, technology, consulting, chemical, transportation, and nonprofit organizations.
### Conclusion:
Salt Typhoon remains a formidable threat with sophisticated operational tactics and a diverse malware toolkit. Continuous monitoring and proactive defenses are imperative for organizations at risk of such threats.