Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
Salt Typhoon Targets Global Governments via Microsoft SharePoint Vulnerabilities
Advertisements

The China-linked threat actor known as Salt Typhoon executed a widespread cyber-espionage campaign targeting governmental organizations across North America, Europe, and Asia. The group gained initial access to networks by exploiting a known remote code execution vulnerability in Microsoft SharePoint Server.

According to reports from cybersecurity agencies, Salt Typhoon’s operations are characterized by their focus on intelligence gathering from government entities. The attacks were identified and detailed in advisories issued by organizations including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft.

Exploitation and Attack Infrastructure

The primary entry vector for the attacks was the exploitation of CVE-2019-0604, a critical vulnerability in Microsoft SharePoint. Upon successful exploitation, Salt Typhoon deployed web shells onto the compromised servers. These web shells provided the attackers with persistent access and the ability to execute commands on the target systems.

To maintain control and exfiltrate data, the group utilized a custom backdoor malware referred to as “Mangled Sieve.” The command and control (C2) infrastructure for this campaign was built using a network of compromised Ubiquiti EdgeRouters. This technique allowed the threat actor to route their malicious traffic through legitimate, small office and home office (SOHO) devices, making their activities more difficult to detect and trace.

Global Scope and Espionage Focus

The campaign’s targets were not limited to a single region; governmental bodies on at least three continents were compromised. This global reach highlights the scale and resources of the Salt Typhoon operation. The group, which is also tracked under the alias Volt Typhoon, has been observed primarily targeting U.S. government agencies as part of its intelligence-gathering objectives.

The actions of Salt Typhoon are consistent with a state-sponsored espionage mission, focused on accessing and stealing sensitive information from government networks rather than on direct financial gain. The use of living-off-the-land techniques and compromised network hardware demonstrates a sophisticated approach to maintaining long-term, stealthy access.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading