Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Salt Typhoon

Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).(Citation: US Dept. of Treasury Salt Typhoon JAN 2025)(Citation: Cisco Salt Typhoon FEB 2025)

ID: G1045

Associated Groups:

Created: 24 Feb 2025

Last Modified: 06 Mar 2025

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1098	.004	Account Manipulation: SSH Authorized Keys	Salt Typhoon has added SSH authorized_keys under root or other users at the Linux level on compromised network devices.(Citation: Cisco Salt Typhoon FEB 2025)
Enterprise	T1110	.002	Brute Force: Password Cracking	Salt Typhoon has cracked passwords for accounts with weak encryption obtained from the configuration files of compromised network devices.(Citation: Cisco Salt Typhoon FEB 2025)
Enterprise	T1602	.002	Data from Configuration Repository: Network Device Configuration Dump	Salt Typhoon has attempted to acquire credentials by dumping network device configurations.(Citation: Cisco Salt Typhoon FEB 2025)
Enterprise	T1587	.001	Develop Capabilities: Malware	Salt Typhoon has used custom tooling including JumbledPath.(Citation: Cisco Salt Typhoon FEB 2025)
Enterprise	T1048	.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol	Salt Typhoon has exfiltrated configuration files from exploited network devices over FTP and TFTP.(Citation: Cisco Salt Typhoon FEB 2025)
Enterprise	T1590	.004	Gather Victim Network Information: Network Topology	Salt Typhoon has used configuration files from exploited network devices to help discover upstream and downstream network segments.(Citation: Cisco Salt Typhoon FEB 2025)
Enterprise	T1562	.004	Impair Defenses: Disable or Modify System Firewall	Salt Typhoon has made changes to the Access Control List (ACL) and loopback interface address on compromised devices.(Citation: Cisco Salt Typhoon FEB 2025)
Enterprise	T1070	.002	Indicator Removal: Clear Linux or Mac System Logs	Salt Typhoon has cleared logs including .bash_history, auth.log, lastlog, wtmp, and btmp.(Citation: Cisco Salt Typhoon FEB 2025)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Salt Typhoon has used publicly available tooling to exploit vulnerabilities.(Citation: Cisco Salt Typhoon FEB 2025)
Enterprise	T1021	.004	Remote Services: SSH	Salt Typhoon has modified the loopback address on compromised switches and used them as the source of SSH connections to additional devices within the target environment, allowing them to bypass access control lists (ACLs).(Citation: Cisco Salt Typhoon FEB 2025)

ID	Name	References	Techniques
Software
S1206	JumbledPath	(Citation: Cisco Salt Typhoon FEB 2025)	Clear Linux or Mac System Logs, Network Sniffing, Multi-Stage Channels, Hide Infrastructure, Archive Collected Data, Impair Defenses

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Salt Typhoon

Associated Group Descriptions

Techniques Used

Software

References