Salt Typhoon: A Persistent Threat to Global Telecommunications Infrastructure
Tags
cmtmf-attack-pattern: Command And Scripting Interpreter Exploit Public-Facing Application Obfuscated Files Or Information Process Injection Scheduled Task/Job
country: China
maec-delivery-vectors: Watering Hole
attack-pattern: Data Models Command And Scripting Interpreter - T1623 Create Or Modify System Process - T1543 Credentials - T1589.001 Data From Local System - T1533 Dll Side-Loading - T1574.002 Dns - T1071.004 Dns - T1590.002 Exfiltration Over C2 Channel - T1646 Exploitation For Privilege Escalation - T1404 Exploit Public-Facing Application - T1377 Exploits - T1587.004 Exploits - T1588.005 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Indicator Removal From Tools - T1027.005 Installutil - T1218.004 Internal Proxy - T1090.001 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Msiexec - T1218.007 Multi-Factor Authentication - T1556.006 Ntds - T1003.003 Phishing - T1660 Phishing - T1566 Process Injection - T1631 Rundll32 - T1218.011 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Software - T1592.002 Windows Service - T1543.003 Tool - T1588.002 Vulnerabilities - T1588.006 Command-Line Interface - T1059 Connection Proxy - T1090 Credential Dumping - T1003 Data From Local System - T1005 Dll Side-Loading - T1073 Exfiltration Over Command And Control Channel - T1041 Exploit Public-Facing Application - T1190 Exploitation For Privilege Escalation - T1068 Indicator Removal From Tools - T1066 Installutil - T1118 Modify Registry - T1112 New Service - T1050 Obfuscated Files Or Information - T1027 Process Injection - T1055 Remote Services - T1021 Rootkit - T1014 Rundll32 - T1085 Scheduled Task - T1053 Scripting - T1064 Valid Accounts - T1078 Exploit Public-Facing Application Rootkit Scripting Valid Accounts
Common Information
Type Value
UUID c4c25667-3dce-4463-8521-8a0b4d27e41a
Fingerprint b550991104b9ff01
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 20, 2024, 12:17 p.m.
Added to db Dec. 21, 2024, 3:40 a.m.
Last updated Dec. 24, 2024, 1:43 p.m.
Headline Salt Typhoon: A Persistent Threat to Global Telecommunications Infrastructure
Title Salt Typhoon: A Persistent Threat to Global Telecommunications Infrastructure
Detected Hints/Tags/Attributes 162/4/159
RSS Feed
Attributes
Details Type #Events CTI Value
Details MITRE ATT&CK Techniques 743
T1059
Details MITRE ATT&CK Techniques 581
T1112
Details MITRE ATT&CK Techniques 193
T1543.003
Details MITRE ATT&CK Techniques 222
T1068
Details MITRE ATT&CK Techniques 343
T1078
Details MITRE ATT&CK Techniques 301
T1053.005
Details MITRE ATT&CK Techniques 246
T1574.002
Details MITRE ATT&CK Techniques 680
T1027
Details MITRE ATT&CK Techniques 49
T1027.005
Details MITRE ATT&CK Techniques 179
T1021
Details MITRE ATT&CK Techniques 76
T1003.003
Details MITRE ATT&CK Techniques 562
T1005
Details MITRE ATT&CK Techniques 459
T1041
Details MITRE ATT&CK Techniques 38
T1090.001
Details Url 2
https://api.anonfiles.com/upload
Details Url 1
https://thediplomat.com/2024/12/salt-typhoon-chinas-attack-on-us-telecommunications-networks/.
Details Url 1
https://www.darkreading.com/application-security/salt-typhoon-malware-arsenal-ghostspider.
Details Url 1
https://www.trendmicro.com/en_nl/research/24/k/earth-estries.html
Details Url 1
https://cybersecuritynews.com/chinese-apt-attacking-telecoms/.
Details Url 1
https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html
Details Url 2
https://www.bleepingcomputer.com/news/security/salt-typhoon-hackers-backdoor-telcos-with-new-ghostspider-malware/.
Details Url 1
https://www.theregister.com/2024/10/07/verizon_att_lumen_salt_typhoon/.
Details Url 1
https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b
Details Url 1
https://fieldeffect.com/blog/salt-typhoon-unleashes-ghostspider-on-telecoms.
Details CVE 55
cve-2023-46805
Details CVE 71
cve-2024-21887
Details CVE 46
cve-2023-48788
Details CVE 39
cve-2022-3236
Details CVE 223
cve-2021-26855
Details CVE 111
cve-2021-26857
Details CVE 113
cve-2021-26858
Details CVE 155
cve-2021-27065
Details Domain 2
go4.cab
Details Domain 2
api.anonfiles.com
Details Domain 14
thediplomat.com
Details Domain 162
www.darkreading.com
Details Domain 641
www.trendmicro.com
Details Domain 41
cybersecuritynews.com
Details Domain 88
www.theregister.com
Details Domain 45
www.wsj.com
Details Domain 5
fieldeffect.com
Details Domain 1
www.dmnews.com
Details Domain 9
www.t-mobile.com
Details File 2
c:\program files\qlogic corporation\nqagent\netqlremote.exe
Details File 437
c:\windows\system32\cmd.exe
Details File 2
go4.cab
Details File 16
tomcat6.exe
Details File 1
182.bat
Details File 2337
cmd.exe
Details File 2
c:\programdata\microsoft\drm\182.bat
Details File 102
rar.exe
Details File 2
c:\users\public\music\rar.exe
Details File 2
c:\users\public\music\pdf0412.rar
Details File 1
c:\path\to\malicious-crowdoor.exe
Details File 306
msiexec.exe
Details File 2
c:\programdata\vmware\vmvssrv.exe
Details File 25
msseces.exe
Details File 1102
rundll32.exe
Details File 10
vmtools.exe
Details File 52
c:\\windows\\system32\\cmd.exe
Details File 12
vmtools.dll
Details File 2
c:\windows\ime\out1.tmp
Details File 2
earth-estries.html
Details File 1
breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html
Details File 3
earth-estries-targets-government-tech-for-cyberespionage.html
Details md5 1
012862165EC105A44FEA14FACE53492F
Details md5 1
0A7390A687F949D0A3CDF2926449018B
Details md5 2
0B9AE998423A207F021F8E61B93BC849
Details md5 2
0BBFBA106FBB9E310330DC87C32CB6D1
Details md5 2
103E4C2E4EE558D130C8B59BFD66B4FB
Details md5 1
145FF08E736693D522F8A09C8D3405D6
Details md5 2
149A9E24DBE347C4AF2DE8D135AA4B76
Details md5 1
18BE25AB5592329858965BEDFCC105AF
Details md5 1
1BC301AA9B861F762CE5F376228E992A
Details md5 2
1DD03936BAF0FE95B7E5B54A9DD4A577
Details md5 1
24E9870973CEA42E6FAF705B14208E52
Details md5 2
27C558BD42744CDDC9EDB3FA597D0510
Details md5 1
2B8EE4D70B8A47EB98B63AEDD543EBA4
Details md5 2
2C7EBD103514018BAD223F25026D4DB3
Details md5 1
2DD0885F84B890883A396030DB841D28
Details md5 2
3B7721715B2842CDFF0AB72BD605A0CE
Details md5 2
3F15C4431AD4573344AD56E8384EBD62
Details md5 1
42097A09CD3420FD7168BA1AFC84939E
Details md5 1
475AA86AE60C640EEC4FDEA93B5ED04D
Details md5 1
48E9CDFF28E944A6B1A20214CBBC126F
Details md5 2
4F950683F333F5ED779D70EB38CDADCF
Details md5 1
6685323C61D8EDB4A6E35796AF34D626
Details md5 1
6A44FDD66AB841C33949620666CA847A
Details md5 1
7394229455151A9CD036383027A1536B
Details md5 2
78B47DDA664545542ED3ABE17400C354
Details md5 1
7A162C26D56B0C55E6CD81CD953F510B
Details md5 2
868B8A5012E0EB9A48D2DAF7CB7A5D87
Details md5 2
8A900F742D0E3CD3898F37DBC3D6E054
Details md5 1
96F5312281777E9CC912D5B2D09E6132
Details md5 2
A213873EB55DC092DDF3ADBEB242BD44
Details md5 1
BE38D173E4E9118BDC2E83FD5F90BE3B
Details md5 1
C10643B3FB304972C650E593B69FAAA1
Details md5 2
DD7593E9BA80502505C958B9BBBF2838
Details md5 2
E0D9215F64805E0BFF03F4DC796FE52E
Details md5 2
E845563BA35E8D227152165B0C3E769F
Details md5 1
F078AC9B012C503D35254AF9629D3B67
Details md5 1
F4A30F84EB754A21B4D200300A4C7ABB
Details md5 1
FCA94B8B718357143C53620C6B360470
Details md5 2
FD8382EFB0A16225896D584DA56C182C
Details sha1 1
23e228d5603b4802398b2e7419187aef71ff9dd5
Details sha1 1
2560b7e28b322bb7a56d0b1da1b2652e1efe76ea
Details sha1 2
311d1d50673fbfc40b84d94239cd4fa784269465
Details sha1 2
3650899c669986e5f4363fdbd6cf5b78a6fcd484
Details sha1 1
4df896624695ea2780552e9ea3c40661dc84efc8
Details sha1 1
76c430b55f180a85f4e1a1e40e4a2ea37db97599
Details sha1 3
7c809b4866086ef7fb1ab722f94df5af493b80db
Details sha1 1
873f98caf234c3a8a9db18343dad7b42117e85d4
Details sha1 1
b9601e60f87545441bf8579b2f62668c56507f4a
Details sha1 1
bb2f5b573ac7a761015daad0b7ff03b294dc60f6
Details sha1 1
c36ecd2e0f38294e1290f4b9b36f602167e33614
Details sha1 1
e2b0851e2e281cc7bca3d6d9b2fa0c4b7ac5a02b
Details sha1 1
fdc44057e87d7c350e6df84bb72541236a770ba2
Details sha256 2
cd2b703e1b7cfd6c552406f44ec05480209003789ad4fbba4d4cffd4f104b0a0
Details sha256 2
0eaa67fe81cec0a41cd42866df1223cb7d2b5659ab295dffe64fe9c3b76720aa
Details sha256 2
e6f9756613345fd01bbcf28eba15d52705ef4d144c275b8cfe868a5d28c24140
Details sha256 2
c7023183e815b9aff68d3eba6c2ca105dbe0a9b05cd209908dcee907a64ce80b
Details sha256 2
1a9e0c7c88e7a8b065ec88809187f67d920e7845350d94098645e592ec5534f6
Details sha256 2
efb98b8f882ac84332e7dfdc996a081d1c5e6189ad726f8f8afec5d36a20a730
Details sha256 2
8476ad68ce54b458217ab165d66a899d764eae3ad30196f35d2ff20d3f398523
Details sha256 2
dff1d282e754f378ef00fb6ebe9944fee6607d9ee24ec3ca643da27f27520ac3
Details sha256 3
42d4eb7f04111631891379c5cce55480d2d9d2ef8feaf1075e1aed0c52df4bb9
Details sha256 2
45b9204ccbad92e4e5fb9e31aab683eb5221eb5f5688b1aae98d9c0f1c920227
Details sha256 2
98e250bc06de38050fdeab9b1e2ef7e4d8c401b33fd5478f3b85197112858f4e
Details sha256 2
b1bc10fa25a4fd5ae7948c6523eb975be8d0f52d1572c57a7ef736134b996586
Details sha256 2
49a0349dfa79b211fc2c5753a9b87f8cd2e9a42e55eca6f350f30c60de2866ce
Details sha256 2
71a503b5b6ec8321346bee3f6129af0b8ad490a36092488d085085cdc0fc6b9d
Details sha256 2
28109c650df5481c3997b720bf8ce09e7472d9cdb3f02dd844783fd2b1400c72
Details sha256 2
a8dd0ca6151000de33335f48a832d24412de13ce05ea6f279bf4aaaa2e5aaecb
Details sha256 2
deaa3143814c6fe9279e8bc0706df22d63ef197af980d8feae9a8468f441efec
Details sha256 2
b6481e0edc36a0472ab0ce7d0817f1773c4af9307ae60890a667930558a762ff
Details sha256 2
eeb3d2e87d343b2acf6bc8e4e4122d76a9ad200ae52340c61e537a80666705ed
Details sha256 2
4b014891df3348a76750563ae10b70721e028381f3964930d2dd49b9597ffac3
Details sha256 2
2531891691ef674345f098ef18b274091acdf3f2808cca753674599c043ccd7d
Details sha256 2
c59e17806e3a58792f07662b4985119252c8221688084d20b599699bfdb272d8
Details sha256 2
e1a7e5f27362aaf0d12b58b96a816ef61a2a498def9805297aa81f6f83729230
Details sha256 2
ca6713bedbd19c2ad560700b41774825615b0fe80bf61751177ffbc26c77aa30
Details sha256 2
cdadad8d7ced1370baa5d1ffe435bed78c2d58ed4cda364b8a7484e3c7cdac98
Details sha256 2
82f3384723b21f9a928029bb3ee116f9adbc4f7ec66d5a856e817c3dc16d149d
Details sha256 2
415e0893ce227464fb29d76e0500c518935d11379d17fb14effaef82e962ff76
Details sha256 2
f6223d956df81dcb6135c6ce00ee14d0efede9fb399b56d2ee95b7b0538fe12c
Details sha256 2
23dea3a74e3ff6a367754d02466db4c86ffda47efe09529d3aad52b0d5694b30
Details sha256 5
25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b
Details sha256 3
2b5e7b17fc6e684ff026df3241af4a651fc2b55ca62f8f1f7e34ac8303db9a31
Details sha256 3
44ea2e85ea6cffba66f5928768c1ee401f3a6d6cd2a04e0d681d695f93cc5a1f
Details sha256 5
6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc
Details sha256 2
8df9fa495892fc3d183917162746ef8fd9e438ff0d639264236db553b09629dc
Details sha256 2
b63c82fc37f0e9c586d07b96d70ff802d4b707ffb2d59146cf7d7bb922c52e7e
Details Mandiant Uncategorized Groups 32
UNC2286
Details MITRE ATT&CK Techniques 593
T1190
Details Url 1
https://www.dmnews.com/chinese-hacking-group-targets-telecom-networks/.
Details Url 1
https://www.bleepingcomputer.com/news/security/chinese-hackers-breached-t-mobiles-routers-to-scope-out-network/.
Details Url 1
https://www.t-mobile.com/news/un-carrier/update-cyberattacks-targeting-us-wireless-companies.
Details Url 1
https://www.trendmicro.com/en_in/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html
Details Windows Registry Key 200
HKCU\Software\Microsoft\Windows\CurrentVersion\Run