Security teams and individuals across the US need to take immediate precautions to counter the surveillance threat posed by Chinese ‘Salt Typhoon’ hackers, who have burrowed deep into telecoms infrastructure, according to the US Cybersecurity and Infrastructure Security Agency (CISA).CISA issued an official alert recommending defensive measures on December 3, as federal officials briefed journalists on the threat.And for the first time ever it seems that it is not only telcos and businesses that should be worried. According to a report based on comments made by officials from the FBI and CISA, ordinary Americans too should consider using encrypted channels for important communication to counter the same snooping. A high-profile example of this type of espionage was the targeting of smartphones used by Donald Trump and running mate JD Vance during their presidential campaign. The alleged Chinese attacks, codenamed Salt Typhoon by Microsoft, were first made public by The Wall Street Journal in late September.They are shaping up to be the biggest cyber-incursion made by Chinese actors since the vast Aurora attacks of US companies made public by Google in late 2009. The shock from those attacks led to a reassessment by security managers across the land, marking the moment when cybersecurity became a geopolitical anxiety in the US. Enemies not only had a motive to hack the US, they had the ability too.However, Salt Typhoon isn’t just about targeting companies to steal their secrets: It represents an attack on the communications systems used by everyone. As a November joint statement from the FBI and CISA put it.”Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity,” it said. “We expect our understanding of these compromises to grow as the investigation continues.” Those compromised networks included infrastructure belonging to Verizon, AT&T, and Lumen Technologies (formerly CenturyLink).One issue is that nobody yet understands the full scope of the attacks, which encompassed multiple organizations and attack vectors. That means they can’t be sure they’ve been stopped. That possibility puts the security of all unencrypted communication in doubt.
E2EE is your friend
The data at risk relates to fixed-line and mobile voice, data, text, and video channels that are part of telecommunications services rather than web data. This includes SMS text messages, which are not encrypted, one reason why users of this 1990s technology were put on notice by NIST as far back as 2016. By contrast, end-to-end encryption (E2EE) is available on newer messaging platforms developed by Google (RCS) and Apple’s iMessage, but not yet for messages sent between them.This is a characteristic of telecoms systems, which have rolled out encryption over the years in a piecemeal way. Some channels are encrypted (text), some might not be (voice), or are encrypted but to a lower standard, for example 5G versus 4G. Even experts can’t always say what is and isn’t encrypted by default.A bright spot is that E2EE apps such as WhatsApp and Signal will be secure. The irony of this won’t be lost on anyone who has reported on the ongoing battle between the US government and its allies and end-to-end encrypted messaging providers. The authorities would like a way to peer inside those apps to counter alleged criminality. Now it turns out that the same hard-to-defeat public key encryption could save Americans from Chinese advanced persistent threat (APT) groups.”Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” CISA’s executive assistant director for cybersecurity Jeff Greene told NBC News this week.
CISA’s recommendations
At more than 2,000 words in length, CISA’s list of mitigations and ‘have you done this?’ advice is surprisingly detailed, much of it covering things one would assume security teams are already on top of. But it’s still an unusual homework list for one alert.”As of this release date, identified exploitations or compromises associated with these threat actors’ activity align with existing weaknesses associated with victim infrastructure; no novel activity has been observed,” wrote CISA, not reassuringly.Recommended checks include investigating configuration modifications, monitoring service accounts, checking SIEM correlations for anomalies, and ensuring network segmentation and DMZs are set up correctly. A common thread in the advice is the vulnerability of external connectivity, including VPNs, legacy SSH-1, and FTP, and the weak points that are passwords, authentication, access control and patching.Advice specific to Cisco equipment includes disabling telnet, disabling Cisco’s Linux guestshell, and where possible disabling web interfaces in favor of the command line.This is generic advice of the sort that peppers any security alert put out by governments across the world in the last decade. Clearly, some of it is not being acted on, possibly because telco networks are often full of equipment dating back years which has been forgotten about. In summary: Audit everything to find old, vulnerable stuff and keep doing this indefinitely.Although US providers are the focus of Salt Typhoon, there is no reason why the vulnerabilities that made compromise possible couldn’t apply to the telecom’s infrastructure in other countries using the same equipment.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3617298/security-teams-should-act-now-to-counter-chinese-threat-says-cisa.html
