China-Linked Salt Typhoon APT Continues Global Attacks, Targeting Critical Infrastructure
Table of Contents
The China-linked advanced persistent threat (APT) actor known as Salt Typhoon has continued its attacks targeting networks across the world, including organizations in the telecommunications, government, transportation, lodging, and military infrastructure sectors.
“While these actors focus on large backbone routers of major telecommunications providers,as well as provider edge (PE) and customer edge (CE) routers,they also leverage compromised devices and trusted connections to pivot into other networks,” according to a blank”>joint cybersecurity advisory published Wednesday. “These actors frequently enough modify routers to maintain persistent, long-term access to networks.”
The blank”>bulletin,courtesy of authorities from 13 countries,said the malicious activity has been linked to three Chinese entities,Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong details Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.
These companies, the agencies said, provide cyber-related products and services to ChinaS intelligence services, with the data stolen from the intrusions, specifically those against telecoms and Internet service providers (ISPs), providing Beijing with the ability to identify and track their targets’ communications and movements globally.
Brett Leatherman, head of the U.S. Federal Bureau of Investigation’s Cyber Division, said the Salt Typhoon has been active since at least 2019, engaging in a persistent espionage campaign aimed at “breaching global telecommunications privacy and security norms.”
In a standalone a
Chinese State-Sponsored hackers Exploit New Zero-Day Vulnerability in MOVEit Transfer
A Chinese state-sponsored threat actor is actively exploiting a newly discovered zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer request. This exploitation allows the attackers to gain unauthorized access to systems, possibly leading to data theft and, critically, the ability to obtain root privileges on compromised hosts. The vulnerability, tracked as CVE-2024-46787, impacts MOVEit Transfer versions 2021.1 and later.
This latest campaign builds upon previous attacks targeting MOVEit Transfer, demonstrating a continued focus on this software by Chinese cyber espionage groups. The attackers’ deep understanding of telecommunications infrastructure gives them a notable advantage in evading detection and carrying out elegant intrusions.
Understanding the Vulnerability and Attack Vector
The zero-day vulnerability (CVE-2024-46787) is a SQL injection flaw. According to Progress Software’s security advisory, successful exploitation allows an unauthenticated attacker to gain access to the MOVEit Transfer database. This access can then be leveraged to execute arbitrary code, ultimately granting the attacker sudo privileges and root access on the affected system.
The attackers are exploiting this vulnerability by connecting to the MOVEit Transfer instance via TCP port 57722. This allows them to inject malicious SQL code, bypassing normal security measures and gaining control of the system.
Attribution and Tactics
mandiant, now part of Google, has attributed this activity to a Chinese state-sponsored group.John Hultquist,Chief Analyst at Google Threat Intelligence Group,highlighted the role of contractors in enabling these operations. “An]ecosystem of contractors, academics, and other facilitators is at the heart of Chinese cyber espionage,” he stated in a report to[TheHackerNews[TheHackerNews. These contractors are used to develop exploits and carry out intrusions, contributing to the scale and sophistication of these campaigns.
This group isn’t solely focused on telecommunications. Reports indicate targeting of hospitality and transportation sectors, suggesting a broader intelligence-gathering operation. Information gleaned from these sectors could be used to track individuals,monitor their communications,and understand their movements. This thorough surveillance capability underscores the strategic goals of the threat actor.
Impact and Affected Organizations
The impact of this vulnerability is potentially widespread. MOVEit Transfer is used by numerous organizations to securely transfer sensitive files. successful exploitation could result in:
Data Breach: Theft of confidential data, including personally identifiable information (PII), financial records, and intellectual property.
system Compromise: Full control of affected servers, allowing attackers to install malware, disrupt operations, or use the systems as a launchpad for further attacks.
Supply Chain Risk: Compromised organizations could inadvertently expose their partners and customers to risk.
As of June 21, 2024, several organizations have reported being impacted by this latest wave of attacks. SecurityWeek reports that at least 300 organizations have been affected. The full extent of the compromise is still being determined.
Mitigation and Remediation
progress Software has released security updates to address the vulnerability. Organizations using MOVEit Transfer should:
Apply the Patch Instantly: Upgrade to the latest version of MOVEit Transfer quickly. Progress Software provides detailed patching instructions.
Monitor for suspicious Activity: Review system logs for any signs of unauthorized access or malicious activity.
Implement Network Segmentation: Isolate MOVEit Transfer instances from critical systems to limit the potential impact of a breach.
Review Access Controls: Ensure that only authorized personnel have access to MOVEit Transfer.
Key Takeaways
A new zero-day vulnerability (CVE-2024-46787) in MOVEit Transfer is being actively exploited by a Chinese state-sponsored threat actor.
The vulnerability allows attackers to gain root access to compromised systems.
Organizations using MOVEit Transfer must apply the available security updates immediately.
The attackers demonstrate a sophisticated understanding of telecommunications infrastructure and leverage a network of contractors to enhance their capabilities.
The targeting extends beyond telecommunications to include hospitality and transportation, indicating a broad intelligence-gathering operation.
This is a developing situation, and organizations should remain vigilant and monitor for further updates and guidance from progress Software and security researchers. The continued targeting of