This week we briefed our clients on some Lessons Learned from the Salt Typhoon telecom hacks, a new use of Fake Captcha, and additional vulnerabilities.
KEY TAKEAWAYS
In early December 2024, it was confirmed that the Chinese espionage group known as Salt Typhoon breached numerous U.S. telecommunications networks. While the full scale and scope of this attack is still unclear, there is reporting that this campaign may have started as early as the fall of 2023, and at least 9 telecommunications firms have been confirmed to have been breached. Most of the companies involved in the breaches claim the attackers only accessed small segments of users data, stating the attackers targeted "high profile" users such as politicians and government officials.
Most organizations will never face sophisticated nation-state groups such as Salt Typhoon, however, there are some essential lessons that can be learned from this attack that can be applied to every organization.
Lessons Learned
Initial Access - Nation-state groups such as Salt Typhoon, along with numerous ransomware groups, are known to target vulnerabilities in edge devices, such as firewalls, VPNs, and remote access gateways. Critical vulnerabilities in these edge devices that are supposed to enhance an organization's network security posture make them one of their greatest security risks. In 2025, it is very likely we will continue to see these critical vulnerabilities across these products. Organizations should have well-documented and practiced emergency patch management procedures so that updates can be applied as soon as they are available for these devices.
Network Segmentation and Least Privilege - One of the more startling revelations from this telecom hack is that one of the companies breached had a network management account (not protected by MFA) that had access to over 100,000 individual routers throughout the organization. These high privilege accounts with one-to-many access are an absolute goldmine for attackers. By compromising a single account, they are then able to pivot across thousands of machines and networks. This is effectively the opposite of "zero-trust".
Ideally, networks should be segmented based on data sensitivity and user roles. All accounts, especially high-privilege accounts, should have mandatory MFA. Separate accounts should be used for administrative and non-administrative tasks, and elevated privileges should be granted temporarily, and removed once the task is completed. Highly privileged accounts should also be logged and monitored for suspicious behavior, such as abnormal login times, or geographically impossible logins.
Conclusion
Some threat actors do have an arsenal of advanced techniques and tools that can evade detection and make it harder to defend, but too often, APTs and ransomware groups alike rely on gaps in security fundamentals to achieve their goals. By following basic security best practices, organizations can thwart or at least detect these threat actors in early stages of the attack. Let's make 2025 the year where hackers at least have to try in order to succeed.
Resources:
Vulnerability Roundup
The previous Intel Report highlighted a growing trend among threat actors to leverage fake Captcha sites to entice users to run PowerShell code on their devices. Previous campaigns targeted streaming and anime sites, however, a new campaign observed last week involved fake Microsoft Teams sites: microstteams[.]com and microsoft-msteams[.]com.
Fig. 1: Fake Cloudflare Security Verification
Fig. 2: Code snippet of additional PowerShell
This additional PowerShell downloads Node.js to the victim machine, and then executes a series of JavaScript commands that gather system information and download additional malware from command-and-control infrastructure at 23.227.203[.]162, 65.109.226[.]176, and 65.38.120[.]47. Additionally, the JavaScript also includes a set of hostnames with a [word]-[word]-[word]-[word].trycloudflare[.]com naming pattern, i.e. bidder-horizontal-wildlife-invoice[.]trycloudflare[.]com. These domains have recently been mapped to a threat actor known as Mustard Tempest, who operates the SocGholish fake update campaigns.
\*.ip:(23.227.203.162 OR 65.109.226.176 OR 65.38.120.47)
http.host:(microstteams.com OR microsoft-msteams.com)
Last week, SonicWall disclosed a new set of vulnerabilities in SonicOS. Included is a "high" severity authentication bypass vulnerability in SonicOS SSLVPN, tracked as CVE-2024-53704. Administrators are urged to upgrade to the following versions:
Additional mitigation recommendations from SonicWall include restricting SSLVPN access to trusted sources, as well as restricting firewall management to trusted sources, up to and including disabling firewall SSH management from internet access.
Researchers from SafeBreach Labs have released a proof-of-concept that exploits the recently patched CVE-2024-49113, an out-of-bounds read vulnerability in Windows Lightweight Directory Access Protocol (LDAP). This vulnerability was patched as part of Microsoft's December Patch Tuesday. According to SafeBreach, the only prerequisites for the exploit to work is that the "DNS server of the victim Domain Controller has internet connectivity". Successful exploitation with the PoC code causes the LSASS service to crash and force a reboot. Additionally, this exploit can be modified to abuse CVE-2024-49112 (another critical flaw in LDAP) and achieve remote code execution. Administrators are strongly urged to apply the December Patch Tuesday updates as soon as possible.
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.